PERFORCE change 98196 for review
Robert Watson
rwatson at FreeBSD.org
Wed May 31 03:37:35 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=98196
Change 98196 by rwatson at rwatson_peppercorn on 2006/05/31 10:34:58
Add two entry points, mac_ipfw_tcpreflect() and
mac_ipfw_tcpkeepalive(), intended to allow ipfw to label packets it
generates. Note yet fully implemented.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c#40 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_inet.c#4 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#285 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#246 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c#40 (text+ko) ====
@@ -1524,9 +1524,12 @@
* When flags & TH_RST, we are sending a RST packet, because of a
* "reset" action matched the packet.
* Otherwise we are sending a keepalive, and flags & TH_
+ * The 'replyto' mbuf is the mbuf being replied to, if any, and is required
+ * so that MAC can label the reply appropriately.
*/
static struct mbuf *
-send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
+send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq,
+ u_int32_t ack, int flags)
{
struct mbuf *m;
struct ip *ip;
@@ -1536,6 +1539,13 @@
if (m == 0)
return (NULL);
m->m_pkthdr.rcvif = (struct ifnet *)0;
+
+#ifdef MAC
+ if (replyto != NULL)
+
+
+#endif
+
m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr);
m->m_data += max_linkhdr;
@@ -1620,8 +1630,8 @@
L3HDR(struct tcphdr, mtod(args->m, struct ip *));
if ( (tcp->th_flags & TH_RST) == 0) {
struct mbuf *m;
- m = send_pkt(&(args->f_id), ntohl(tcp->th_seq),
- ntohl(tcp->th_ack),
+ m = send_pkt(args->m, &(args->f_id),
+ ntohl(tcp->th_seq), ntohl(tcp->th_ack),
tcp->th_flags | TH_RST);
if (m != NULL)
ip_output(m, NULL, NULL, 0, NULL, NULL);
@@ -4082,7 +4092,7 @@
if (TIME_LEQ(q->expire, time_uptime))
continue; /* too late, rule expired */
- *mtailp = send_pkt(&(q->id), q->ack_rev - 1,
+ *mtailp = send_pkt(NULL, &(q->id), q->ack_rev - 1,
q->ack_fwd, TH_SYN);
if (*mtailp != NULL)
mtailp = &(*mtailp)->m_nextpkt;
==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_inet.c#4 (text+ko) ====
@@ -309,3 +309,29 @@
INP_LOCK_ASSERT(inp);
MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label);
}
+
+void
+mac_ipfw_tcpreflect(struct mbuf *from, struct mbuf *to)
+{
+ struct label *fromlabel, *tolabel;
+
+ M_ASSERTPKTHDR(from);
+ M_ASSERTPKTHDR(to);
+
+ fromlabel = mac_mbuf_to_label(from);
+ tolabel = mac_mbuf_to_label(to);
+
+ MAC_PERFORM(ipfw_tcpreflect, from, fromlabel, to, tolabel);
+}
+
+void
+mac_ipfw_tcpkeepalive(struct mbuf *m)
+{
+ struct label *label;
+
+ M_ASSERTPKTHDR(m);
+
+ label = mac_mbuf_to_label(m);
+
+ MAC_PERFORM(ipfw_tcpkeepalive, m, label);
+}
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#285 (text+ko) ====
@@ -283,6 +283,8 @@
void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
int mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code);
void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
+void mac_ipfw_tcpreflect(struct mbuf *from, struct mbuf *to);
+void mac_ipfw_tcpkeepalive(struct mbuf *m);
/*
* Labeling event operations: processes.
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#246 (text+ko) ====
@@ -328,6 +328,11 @@
typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so,
struct label *label, struct inpcb *inp,
struct label *inplabel);
+typedef void (*mpo_ipfw_tcpreflect_t)(struct mbuf *from,
+ struct label *fromlabel, struct mbuf *to,
+ struct label *tolabel);
+typedef void (*mpo_ipfw_tcpkeepalive_t)(struct mbuf *m,
+ struct label *label);
/*
* Labeling event operations: processes.
@@ -748,6 +753,8 @@
mpo_update_ipq_t mpo_update_ipq;
mpo_update_mbuf_from_cipso_t mpo_update_mbuf_from_cipso;
mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel;
+ mpo_ipfw_tcpreflect_t mpo_ipfw_tcpreflect;
+ mpo_ipfw_tcpkeepalive_t mpo_ipfw_tcpkeepalive;
/*
* Labeling event operations: processes.
More information about the trustedbsd-cvs
mailing list