pf: mark netlink commands as requiring NETINET_PF privileges

Sponsored by: Rubicon Communications, LLC ("Netgate")
2024-07-09 04:36:31 +00:00 · 2023-12-22 17:40:52 +01:00 · 2023-12-22 17:40:52 +01:00 · e774c1ef27
commit e774c1ef27
parent d281fece43
1 changed files with 7 additions and 0 deletions
--- a/sys/netpfil/pf/pf_nl.c
+++ b/sys/netpfil/pf/pf_nl.c
@ -30,6 +30,7 @@
 #include <sys/param.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/ucred.h>

@ -712,36 +713,42 @@ static const struct genl_cmd pf_cmds[] = {
 		.cmd_name = "GETSTATES",
 		.cmd_cb = pf_handle_getstates,
 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
+		.cmd_priv = PRIV_NETINET_PF,
 	},
 	{
 		.cmd_num = PFNL_CMD_GETCREATORS,
 		.cmd_name = "GETCREATORS",
 		.cmd_cb = pf_handle_getcreators,
 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
+		.cmd_priv = PRIV_NETINET_PF,
 	},
 	{
 		.cmd_num = PFNL_CMD_START,
 		.cmd_name = "START",
 		.cmd_cb = pf_handle_start,
 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
+		.cmd_priv = PRIV_NETINET_PF,
 	},
 	{
 		.cmd_num = PFNL_CMD_STOP,
 		.cmd_name = "STOP",
 		.cmd_cb = pf_handle_stop,
 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL,
+		.cmd_priv = PRIV_NETINET_PF,
 	},
 	{
 		.cmd_num = PFNL_CMD_ADDRULE,
 		.cmd_name = "ADDRULE",
 		.cmd_cb = pf_handle_addrule,
 		.cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
+		.cmd_priv = PRIV_NETINET_PF,
 	},
 	{
 		.cmd_num = PFNL_CMD_GETRULES,
 		.cmd_name = "GETRULES",
 		.cmd_cb = pf_handle_getrules,
 		.cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL,
+		.cmd_priv = PRIV_NETINET_PF,
 	},
 };