From owner-cvs-all@FreeBSD.ORG  Tue Sep 12 04:25:21 2006
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@FreeBSD.org
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 41B9416A492;
	Tue, 12 Sep 2006 04:25:21 +0000 (UTC)
	(envelope-from csjp@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9F27D43D5C;
	Tue, 12 Sep 2006 04:25:13 +0000 (GMT)
	(envelope-from csjp@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k8C4PDmu051974;
	Tue, 12 Sep 2006 04:25:13 GMT
	(envelope-from csjp@repoman.freebsd.org)
Received: (from csjp@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k8C4PDMu051973;
	Tue, 12 Sep 2006 04:25:13 GMT (envelope-from csjp)
Message-Id: <200609120425.k8C4PDMu051973@repoman.freebsd.org>
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
Date: Tue, 12 Sep 2006 04:25:13 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Cc: 
Subject: cvs commit: src/sys/contrib/pf/net pf.c src/sys/modules/ipfw
 Makefile src/sys/modules/pf Makefile src/sys/netinet ip_fw2.c
 src/sys/security/mac mac_inet.c src/sys/security/mac_biba
 mac_biba.c src/sys/security/mac_lomac mac_lomac.c ...
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2006 04:25:21 -0000

csjp        2006-09-12 04:25:13 UTC

  FreeBSD src repository

  Modified files:
    sys/contrib/pf/net   pf.c 
    sys/modules/ipfw     Makefile 
    sys/modules/pf       Makefile 
    sys/netinet          ip_fw2.c 
    sys/security/mac     mac_inet.c 
    sys/security/mac_biba mac_biba.c 
    sys/security/mac_lomac mac_lomac.c 
    sys/security/mac_mls mac_mls.c 
    sys/sys              mac.h mac_policy.h 
  Log:
  Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point
  exists to allow the mandatory access control policy to properly initialize
  mbufs generated by the firewall. An example where this might happen is keep
  alive packets, or ICMP error packets in response to other packets.
  
  This takes care of kernel panics associated with un-initialize mbuf labels
  when the firewall generates packets.
  
  [1] I modified this patch from it's original version, the initial patch
      introduced a number of entry points which were programmatically
      equivalent. So I introduced only one. Instead, we should leverage
      mac_create_mbuf_netlayer() which is used for similar situations,
      an example being icmp_error()
  
      This will minimize the impact associated with the MFC
  
  Submitted by:   mlaier [1]
  MFC after:      1 week
  
  This is a RELENG_6 candidate
  
  Revision  Changes    Path
  1.41      +55 -0     src/sys/contrib/pf/net/pf.c
  1.25      +1 -1      src/sys/modules/ipfw/Makefile
  1.12      +1 -1      src/sys/modules/pf/Makefile
  1.146     +20 -5     src/sys/netinet/ip_fw2.c
  1.2       +10 -0     src/sys/security/mac/mac_inet.c
  1.94      +12 -0     src/sys/security/mac_biba/mac_biba.c
  1.40      +12 -0     src/sys/security/mac_lomac/mac_lomac.c
  1.77      +12 -0     src/sys/security/mac_mls/mac_mls.c
  1.71      +1 -0      src/sys/sys/mac.h
  1.75      +3 -0      src/sys/sys/mac_policy.h