Date: Wed, 31 May 2006 10:35:57 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 98196 for review Message-ID: <200605311035.k4VAZvFh060342@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=98196 Change 98196 by rwatson@rwatson_peppercorn on 2006/05/31 10:34:58 Add two entry points, mac_ipfw_tcpreflect() and mac_ipfw_tcpkeepalive(), intended to allow ipfw to label packets it generates. Note yet fully implemented. Affected files ... .. //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c#40 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_inet.c#4 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#285 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#246 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c#40 (text+ko) ==== @@ -1524,9 +1524,12 @@ * When flags & TH_RST, we are sending a RST packet, because of a * "reset" action matched the packet. * Otherwise we are sending a keepalive, and flags & TH_ + * The 'replyto' mbuf is the mbuf being replied to, if any, and is required + * so that MAC can label the reply appropriately. */ static struct mbuf * -send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags) +send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, + u_int32_t ack, int flags) { struct mbuf *m; struct ip *ip; @@ -1536,6 +1539,13 @@ if (m == 0) return (NULL); m->m_pkthdr.rcvif = (struct ifnet *)0; + +#ifdef MAC + if (replyto != NULL) + + +#endif + m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr); m->m_data += max_linkhdr; @@ -1620,8 +1630,8 @@ L3HDR(struct tcphdr, mtod(args->m, struct ip *)); if ( (tcp->th_flags & TH_RST) == 0) { struct mbuf *m; - m = send_pkt(&(args->f_id), ntohl(tcp->th_seq), - ntohl(tcp->th_ack), + m = send_pkt(args->m, &(args->f_id), + ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags | TH_RST); if (m != NULL) ip_output(m, NULL, NULL, 0, NULL, NULL); @@ -4082,7 +4092,7 @@ if (TIME_LEQ(q->expire, time_uptime)) continue; /* too late, rule expired */ - *mtailp = send_pkt(&(q->id), q->ack_rev - 1, + *mtailp = send_pkt(NULL, &(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN); if (*mtailp != NULL) mtailp = &(*mtailp)->m_nextpkt; ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_inet.c#4 (text+ko) ==== @@ -309,3 +309,29 @@ INP_LOCK_ASSERT(inp); MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); } + +void +mac_ipfw_tcpreflect(struct mbuf *from, struct mbuf *to) +{ + struct label *fromlabel, *tolabel; + + M_ASSERTPKTHDR(from); + M_ASSERTPKTHDR(to); + + fromlabel = mac_mbuf_to_label(from); + tolabel = mac_mbuf_to_label(to); + + MAC_PERFORM(ipfw_tcpreflect, from, fromlabel, to, tolabel); +} + +void +mac_ipfw_tcpkeepalive(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label = mac_mbuf_to_label(m); + + MAC_PERFORM(ipfw_tcpkeepalive, m, label); +} ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#285 (text+ko) ==== @@ -283,6 +283,8 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); int mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); +void mac_ipfw_tcpreflect(struct mbuf *from, struct mbuf *to); +void mac_ipfw_tcpkeepalive(struct mbuf *m); /* * Labeling event operations: processes. ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#246 (text+ko) ==== @@ -328,6 +328,11 @@ typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); +typedef void (*mpo_ipfw_tcpreflect_t)(struct mbuf *from, + struct label *fromlabel, struct mbuf *to, + struct label *tolabel); +typedef void (*mpo_ipfw_tcpkeepalive_t)(struct mbuf *m, + struct label *label); /* * Labeling event operations: processes. @@ -748,6 +753,8 @@ mpo_update_ipq_t mpo_update_ipq; mpo_update_mbuf_from_cipso_t mpo_update_mbuf_from_cipso; mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; + mpo_ipfw_tcpreflect_t mpo_ipfw_tcpreflect; + mpo_ipfw_tcpkeepalive_t mpo_ipfw_tcpkeepalive; /* * Labeling event operations: processes.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605311035.k4VAZvFh060342>