Date: Tue, 20 Jun 2006 00:31:35 +0200 From: Max Laier <max@love2party.net> To: trustedbsd-discuss@freebsd.org Cc: Christian Brueffer <brueffer@freebsd.org> Subject: Re: MAC Framework has confict with IP firewall Message-ID: <200606200031.41919.max@love2party.net> In-Reply-To: <200606172359.13019.max@love2party.net> References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606172359.13019.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1469172.zoctvQ2xWR Content-Type: multipart/mixed; boundary="Boundary-01=_JXylEeUkvwl5+qb" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_JXylEeUkvwl5+qb Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 17 June 2006 23:59, Max Laier wrote: > On Monday 27 March 2006 12:41, zhouyi zhou wrote: > > MAC Framework has conflict with IP firewall > > because in function ipfw_tick of file ip_fw2.c, the mbuf is created > > without MAC label being initialized and send directly to ip_output. > > Christian Brueffer made me aware of this problem. Here is what we believe > should work as a temporary workaround to this problem. The final solution > would involve assigning a label with firewall states (derived from the > packet that creates the state) and then using this label for the mbuf > created for keepalives etc. > > The attached modifies biba, lomac and mls. Per Christian's request and FYI, here's the patch for RELENG_6. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_JXylEeUkvwl5+qb Content-Type: text/x-diff; charset="iso-8859-6"; name="mac_firewall.RELENG_6.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="mac_firewall.RELENG_6.diff" Index: contrib/pf/net/pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.34.2.3 diff -u -r1.34.2.3 pf.c =2D-- contrib/pf/net/pf.c 30 Dec 2005 00:50:18 -0000 1.34.2.3 +++ contrib/pf/net/pf.c 19 Jun 2006 21:37:52 -0000 @@ -44,6 +44,8 @@ #ifdef __FreeBSD__ #include "opt_bpf.h" #include "opt_pf.h" +#include "opt_mac.h" + #define NBPFILTER DEV_BPF #define NPFLOG DEV_PFLOG #define NPFSYNC DEV_PFSYNC @@ -62,6 +64,7 @@ #include <sys/kernel.h> #include <sys/time.h> #ifdef __FreeBSD__ +#include <sys/mac.h> #include <sys/sysctl.h> #include <sys/endian.h> #else @@ -176,7 +179,12 @@ struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t *, u_int16_t *, u_int16_t *, u_int16_t *, u_int8_t, sa_family_t); +#ifdef __FreeBSD__ +void pf_send_tcp(struct mbuf *, + const struct pf_rule *, sa_family_t, +#else void pf_send_tcp(const struct pf_rule *, sa_family_t, +#endif const struct pf_addr *, const struct pf_addr *, u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, @@ -1098,7 +1106,11 @@ cur->local_flags |=3D PFSTATE_EXPIRING; #endif if (cur->src.state =3D=3D PF_TCPS_PROXY_DST) +#ifdef __FreeBSD__ + pf_send_tcp(NULL, cur->rule.ptr, cur->af, +#else pf_send_tcp(cur->rule.ptr, cur->af, +#endif &cur->ext.addr, &cur->lan.addr, cur->ext.port, cur->lan.port, cur->src.seqhi, cur->src.seqlo + 1, @@ -1558,7 +1570,11 @@ } =20 void +#ifdef __FreeBSD__ +pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, +#else pf_send_tcp(const struct pf_rule *r, sa_family_t af, +#endif const struct pf_addr *saddr, const struct pf_addr *daddr, u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag, @@ -1597,6 +1613,16 @@ m =3D m_gethdr(M_DONTWAIT, MT_HEADER); if (m =3D=3D NULL) return; +#ifdef __FreeBSD__ +#ifdef MAC + if (replyto) + mac_firewall_tcpreflect(replyto, m); + else + mac_firewall_tcpproxy(m); +#else + (void)replyto; +#endif +#endif if (tag) { #ifdef __FreeBSD__ m->m_flags |=3D M_SKIP_FIREWALL; @@ -3130,7 +3156,11 @@ ack++; if (th->th_flags & TH_FIN) ack++; +#ifdef __FreeBSD__ + pf_send_tcp(m, r, af, pd->dst, +#else pf_send_tcp(r, af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, r->return_ttl, 1, pd->eh, kif->pfik_ifp); @@ -3331,7 +3361,11 @@ mss =3D pf_calc_mss(saddr, af, mss); mss =3D pf_calc_mss(daddr, af, mss); s->src.mss =3D mss; +#ifdef __FreeBSD__ + pf_send_tcp(NULL, r, af, daddr, saddr, th->th_dport, +#else pf_send_tcp(r, af, daddr, saddr, th->th_dport, +#endif th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, NULL, NULL); REASON_SET(&reason, PFRES_SYNPROXY); @@ -4332,7 +4366,11 @@ REASON_SET(reason, PFRES_SYNPROXY); return (PF_DROP); } +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, +#else pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, (*state)->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, @@ -4371,7 +4409,12 @@ (*state)->src.max_win =3D MAX(ntohs(th->th_win), 1); if ((*state)->dst.seqhi =3D=3D 1) (*state)->dst.seqhi =3D htonl(arc4random()); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, + &src->addr, +#else pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, +#endif &dst->addr, src->port, dst->port, (*state)->dst.seqhi, 0, TH_SYN, 0, (*state)->src.mss, 0, 0, NULL, NULL); @@ -4385,12 +4428,21 @@ } else { (*state)->dst.max_win =3D MAX(ntohs(th->th_win), 1); (*state)->dst.seqlo =3D ntohl(th->th_seq); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, +#else pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ntohl(th->th_seq) + 1, TH_ACK, (*state)->src.max_win, 0, 0, 0, NULL, NULL); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, + &src->addr, +#else pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, +#endif &dst->addr, src->port, dst->port, (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, TH_ACK, (*state)->dst.max_win, 0, 0, 1, @@ -4669,7 +4721,11 @@ (*state)->src.state =3D=3D TCPS_SYN_SENT) { /* Send RST for state mismatches during handshake */ if (!(th->th_flags & TH_RST)) +#ifdef __FreeBSD__ + pf_send_tcp(m, (*state)->rule.ptr, pd->af, +#else pf_send_tcp((*state)->rule.ptr, pd->af, +#endif pd->dst, pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), 0, TH_RST, 0, 0, Index: modules/ipfw/Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/modules/ipfw/Makefile,v retrieving revision 1.21.2.1 diff -u -r1.21.2.1 Makefile =2D-- modules/ipfw/Makefile 11 Feb 2006 08:19:37 -0000 1.21.2.1 +++ modules/ipfw/Makefile 19 Jun 2006 21:36:47 -0000 @@ -4,7 +4,7 @@ =20 KMOD=3D ipfw SRCS=3D ip_fw2.c ip_fw_pfil.c =2DSRCS+=3D opt_inet6.h opt_ipsec.h +SRCS+=3D opt_inet6.h opt_ipsec.h opt_mac.h =20 CFLAGS+=3D -DIPFIREWALL # Index: modules/pf/Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/modules/pf/Makefile,v retrieving revision 1.7.2.2 diff -u -r1.7.2.2 Makefile =2D-- modules/pf/Makefile 22 Mar 2006 15:56:32 -0000 1.7.2.2 +++ modules/pf/Makefile 19 Jun 2006 21:36:48 -0000 @@ -6,7 +6,7 @@ KMOD=3D pf SRCS =3D pf.c pf_if.c pf_subr.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c= \ in4_cksum.c \ =2D opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h + opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h =20 CFLAGS+=3D -I${.CURDIR}/../../contrib/pf =20 Index: netinet/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.106.2.13 diff -u -r1.106.2.13 ip_fw2.c =2D-- netinet/ip_fw2.c 2 Jun 2006 04:02:06 -0000 1.106.2.13 +++ netinet/ip_fw2.c 19 Jun 2006 21:36:48 -0000 @@ -43,6 +43,7 @@ #endif #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" =20 #include <sys/param.h> #include <sys/systm.h> @@ -51,6 +52,7 @@ #include <sys/mbuf.h> #include <sys/kernel.h> #include <sys/jail.h> +#include <sys/mac.h> #include <sys/module.h> #include <sys/proc.h> #include <sys/socket.h> @@ -1556,9 +1558,12 @@ * When flags & TH_RST, we are sending a RST packet, because of a * "reset" action matched the packet. * Otherwise we are sending a keepalive, and flags & TH_ + * The 'replyto' mbuf is the mbuf being replied to, if any, and is required + * so that MAC can label the reply appropriately. */ static struct mbuf * =2Dsend_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flag= s) +send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, + u_int32_t ack, int flags) { struct mbuf *m; struct ip *ip; @@ -1568,6 +1573,16 @@ if (m =3D=3D 0) return (NULL); m->m_pkthdr.rcvif =3D (struct ifnet *)0; + +#ifdef MAC + if (replyto !=3D NULL) + mac_firewall_tcpreflect(replyto, m); + else + mac_firewall_tcpkeepalive(m); +#else + (void)replyto; /* don't warn about unused arg */ +#endif + m->m_pkthdr.len =3D m->m_len =3D sizeof(struct ip) + sizeof(struct tcphdr= ); m->m_data +=3D max_linkhdr; =20 @@ -1652,8 +1667,8 @@ L3HDR(struct tcphdr, mtod(args->m, struct ip *)); if ( (tcp->th_flags & TH_RST) =3D=3D 0) { struct mbuf *m; =2D m =3D send_pkt(&(args->f_id), ntohl(tcp->th_seq), =2D ntohl(tcp->th_ack), + m =3D send_pkt(args->m, &(args->f_id), + ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags | TH_RST); if (m !=3D NULL) ip_output(m, NULL, NULL, 0, NULL, NULL); @@ -4147,11 +4162,11 @@ if (TIME_LEQ(q->expire, time_second)) continue; /* too late, rule expired */ =20 =2D *mtailp =3D send_pkt(&(q->id), q->ack_rev - 1, + *mtailp =3D send_pkt(NULL, &(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN); if (*mtailp !=3D NULL) mtailp =3D &(*mtailp)->m_nextpkt; =2D *mtailp =3D send_pkt(&(q->id), q->ack_fwd - 1, + *mtailp =3D send_pkt(NULL, &(q->id), q->ack_fwd - 1, q->ack_rev, 0); if (*mtailp !=3D NULL) mtailp =3D &(*mtailp)->m_nextpkt; Index: security/mac/mac_inet.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/security/mac/mac_inet.c,v retrieving revision 1.1 diff -u -r1.1 mac_inet.c =2D-- security/mac/mac_inet.c 26 Feb 2004 03:51:04 -0000 1.1 +++ security/mac/mac_inet.c 19 Jun 2006 21:36:48 -0000 @@ -290,3 +290,41 @@ INP_LOCK_ASSERT(inp); MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); } + +void +mac_firewall_tcpreflect(struct mbuf *from, struct mbuf *to) +{ + struct label *fromlabel, *tolabel; + + M_ASSERTPKTHDR(from); + M_ASSERTPKTHDR(to); + + fromlabel =3D mac_mbuf_to_label(from); + tolabel =3D mac_mbuf_to_label(to); + + MAC_PERFORM(firewall_tcpreflect, from, fromlabel, to, tolabel); +} + +void +mac_firewall_tcpkeepalive(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label =3D mac_mbuf_to_label(m); + + MAC_PERFORM(firewall_tcpkeepalive, m, label); +} + +void +mac_firewall_tcpproxy(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label =3D mac_mbuf_to_label(m); + + MAC_PERFORM(firewall_tcpproxy, m, label); +} Index: security/mac_biba/mac_biba.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/security/mac_biba/mac_biba.c,v retrieving revision 1.87.2.4 diff -u -r1.87.2.4 mac_biba.c =2D-- security/mac_biba/mac_biba.c 24 Jan 2006 04:10:25 -0000 1.87.2.4 +++ security/mac_biba/mac_biba.c 19 Jun 2006 21:36:48 -0000 @@ -1381,6 +1381,40 @@ mac_biba_copy(source, dest); } =20 +static void +mac_biba_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_biba *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_biba_copy_effective(source, dest); +} + +static void +mac_biba_firewall_tcpkeepalive(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + +static void +mac_biba_firewall_tcpproxy(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -3115,6 +3149,9 @@ .mpo_relabel_ifnet =3D mac_biba_relabel_ifnet, .mpo_update_ipq =3D mac_biba_update_ipq, .mpo_inpcb_sosetlabel =3D mac_biba_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_biba_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_biba_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_biba_firewall_tcpproxy, .mpo_create_proc0 =3D mac_biba_create_proc0, .mpo_create_proc1 =3D mac_biba_create_proc1, .mpo_relabel_cred =3D mac_biba_relabel_cred, Index: security/mac_lomac/mac_lomac.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/security/mac_lomac/mac_lomac.c,v retrieving revision 1.35.2.3 diff -u -r1.35.2.3 mac_lomac.c =2D-- security/mac_lomac/mac_lomac.c 5 Oct 2005 10:31:04 -0000 1.35.2.3 +++ security/mac_lomac/mac_lomac.c 19 Jun 2006 21:36:48 -0000 @@ -1446,6 +1446,40 @@ mac_lomac_copy_single(source, dest); } =20 +static void +mac_lomac_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_lomac *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_lomac_copy_single(source, dest); +} + +static void +mac_lomac_firewall_tcpkeepalive(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + +static void +mac_lomac_firewall_tcpproxy(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + /* * Labeling event operations: processes. */ @@ -2639,6 +2673,9 @@ .mpo_relabel_ifnet =3D mac_lomac_relabel_ifnet, .mpo_update_ipq =3D mac_lomac_update_ipq, .mpo_inpcb_sosetlabel =3D mac_lomac_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_lomac_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_lomac_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_lomac_firewall_tcpproxy, .mpo_execve_transition =3D mac_lomac_execve_transition, .mpo_execve_will_transition =3D mac_lomac_execve_will_transition, .mpo_create_proc0 =3D mac_lomac_create_proc0, Index: security/mac_mls/mac_mls.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/security/mac_mls/mac_mls.c,v retrieving revision 1.72.2.3 diff -u -r1.72.2.3 mac_mls.c =2D-- security/mac_mls/mac_mls.c 5 Oct 2005 10:31:04 -0000 1.72.2.3 +++ security/mac_mls/mac_mls.c 19 Jun 2006 21:36:48 -0000 @@ -1305,6 +1305,40 @@ mac_mls_copy(source, dest); } =20 +static void +mac_mls_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_mls *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_mls_copy_effective(source, dest); +} + +static void +mac_mls_firewall_tcpkeepalive(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest =3D SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + +static void +mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest =3D SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -2884,6 +2918,9 @@ .mpo_relabel_ifnet =3D mac_mls_relabel_ifnet, .mpo_update_ipq =3D mac_mls_update_ipq, .mpo_inpcb_sosetlabel =3D mac_mls_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_mls_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_mls_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_mls_firewall_tcpproxy, .mpo_create_proc0 =3D mac_mls_create_proc0, .mpo_create_proc1 =3D mac_mls_create_proc1, .mpo_relabel_cred =3D mac_mls_relabel_cred, Index: sys/mac.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/sys/mac.h,v retrieving revision 1.67.2.2 diff -u -r1.67.2.2 mac.h =2D-- sys/mac.h 5 Oct 2005 10:31:05 -0000 1.67.2.2 +++ sys/mac.h 19 Jun 2006 21:36:48 -0000 @@ -266,6 +266,13 @@ void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); +void mac_firewall_tcpreflect(struct mbuf *from, struct mbuf *to); +/* + * XXX: The next two should be combined to mac_mbuf_from_firewall_state if + * we'd stick labels to firewall states. Later! + */ +void mac_firewall_tcpkeepalive(struct mbuf *m); +void mac_firewall_tcpproxy(struct mbuf *m); =20 /* * Labeling event operations: processes. Index: sys/mac_policy.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/sys/mac_policy.h,v retrieving revision 1.66.2.3 diff -u -r1.66.2.3 mac_policy.h =2D-- sys/mac_policy.h 5 Oct 2005 10:31:05 -0000 1.66.2.3 +++ sys/mac_policy.h 19 Jun 2006 22:13:08 -0000 @@ -322,6 +322,13 @@ void (*mpo_inpcb_sosetlabel)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); + void (*mpo_firewall_tcpreflect)(struct mbuf *from, + struct label *fromlabel, struct mbuf *to, + struct label *tolabel); + void (*mpo_firewall_tcpkeepalive)(struct mbuf *m, + struct label *label); + void (*mpo_firewall_tcpproxy)(struct mbuf *m, + struct label *label); =20 /* * Labeling event operations: processes. --Boundary-01=_JXylEeUkvwl5+qb-- --nextPart1469172.zoctvQ2xWR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBElyXNXyyEoT62BG0RAsVTAJ9ZF6K10mfE+ySI3OUrzg/pydXW2QCcDzrt MNCcJbmgbtewakKjuIWDirM= =Sno7 -----END PGP SIGNATURE----- --nextPart1469172.zoctvQ2xWR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606200031.41919.max>