From owner-p4-projects@FreeBSD.ORG  Wed May 31 10:37:20 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 35F1316A44C; Wed, 31 May 2006 10:37:20 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A580F16A457
	for <perforce@freebsd.org>; Wed, 31 May 2006 10:37:19 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4A3BA43D53
	for <perforce@freebsd.org>; Wed, 31 May 2006 10:37:19 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k4VAZvjo060345
	for <perforce@freebsd.org>; Wed, 31 May 2006 10:35:57 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k4VAZvFh060342
	for perforce@freebsd.org; Wed, 31 May 2006 10:35:57 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Wed, 31 May 2006 10:35:57 GMT
Message-Id: <200605311035.k4VAZvFh060342@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 98196 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2006 10:37:20 -0000

http://perforce.freebsd.org/chv.cgi?CH=98196

Change 98196 by rwatson@rwatson_peppercorn on 2006/05/31 10:34:58

	Add two entry points, mac_ipfw_tcpreflect() and
	mac_ipfw_tcpkeepalive(), intended to allow ipfw to label packets it
	generates.  Note yet fully implemented.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c#40 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_inet.c#4 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#285 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#246 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c#40 (text+ko) ====

@@ -1524,9 +1524,12 @@
  * When flags & TH_RST, we are sending a RST packet, because of a
  * "reset" action matched the packet.
  * Otherwise we are sending a keepalive, and flags & TH_
+ * The 'replyto' mbuf is the mbuf being replied to, if any, and is required
+ * so that MAC can label the reply appropriately.
  */
 static struct mbuf *
-send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
+send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq,
+    u_int32_t ack, int flags)
 {
 	struct mbuf *m;
 	struct ip *ip;
@@ -1536,6 +1539,13 @@
 	if (m == 0)
 		return (NULL);
 	m->m_pkthdr.rcvif = (struct ifnet *)0;
+
+#ifdef MAC
+	if (replyto != NULL)
+
+
+#endif
+
 	m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr);
 	m->m_data += max_linkhdr;
 
@@ -1620,8 +1630,8 @@
 		    L3HDR(struct tcphdr, mtod(args->m, struct ip *));
 		if ( (tcp->th_flags & TH_RST) == 0) {
 			struct mbuf *m;
-			m = send_pkt(&(args->f_id), ntohl(tcp->th_seq),
-				ntohl(tcp->th_ack),
+			m = send_pkt(args->m, &(args->f_id),
+				ntohl(tcp->th_seq), ntohl(tcp->th_ack),
 				tcp->th_flags | TH_RST);
 			if (m != NULL)
 				ip_output(m, NULL, NULL, 0, NULL, NULL);
@@ -4082,7 +4092,7 @@
 			if (TIME_LEQ(q->expire, time_uptime))
 				continue;	/* too late, rule expired */
 
-			*mtailp = send_pkt(&(q->id), q->ack_rev - 1,
+			*mtailp = send_pkt(NULL, &(q->id), q->ack_rev - 1,
 				q->ack_fwd, TH_SYN);
 			if (*mtailp != NULL)
 				mtailp = &(*mtailp)->m_nextpkt;

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_inet.c#4 (text+ko) ====

@@ -309,3 +309,29 @@
 	INP_LOCK_ASSERT(inp);
 	MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label);
 }
+
+void
+mac_ipfw_tcpreflect(struct mbuf *from, struct mbuf *to)
+{
+	struct label *fromlabel, *tolabel;
+
+	M_ASSERTPKTHDR(from);
+	M_ASSERTPKTHDR(to);
+
+	fromlabel = mac_mbuf_to_label(from);
+	tolabel = mac_mbuf_to_label(to);
+
+	MAC_PERFORM(ipfw_tcpreflect, from, fromlabel, to, tolabel);
+}
+
+void
+mac_ipfw_tcpkeepalive(struct mbuf *m)
+{
+	struct label *label;
+
+	M_ASSERTPKTHDR(m);
+
+	label = mac_mbuf_to_label(m);
+
+	MAC_PERFORM(ipfw_tcpkeepalive, m, label);
+}

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#285 (text+ko) ====

@@ -283,6 +283,8 @@
 void	mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
 int	mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code);
 void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
+void	mac_ipfw_tcpreflect(struct mbuf *from, struct mbuf *to);
+void	mac_ipfw_tcpkeepalive(struct mbuf *m);
 
 /*
  * Labeling event operations: processes.

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#246 (text+ko) ====

@@ -328,6 +328,11 @@
 typedef void	(*mpo_inpcb_sosetlabel_t)(struct socket *so,
 		    struct label *label, struct inpcb *inp,
 		    struct label *inplabel);
+typedef void	(*mpo_ipfw_tcpreflect_t)(struct mbuf *from,
+		    struct label *fromlabel, struct mbuf *to,
+		    struct label *tolabel);
+typedef void	(*mpo_ipfw_tcpkeepalive_t)(struct mbuf *m,
+		    struct label *label);
 
 /*
  * Labeling event operations: processes.
@@ -748,6 +753,8 @@
 	mpo_update_ipq_t			mpo_update_ipq;
 	mpo_update_mbuf_from_cipso_t		mpo_update_mbuf_from_cipso;
 	mpo_inpcb_sosetlabel_t			mpo_inpcb_sosetlabel;
+	mpo_ipfw_tcpreflect_t			mpo_ipfw_tcpreflect;
+	mpo_ipfw_tcpkeepalive_t			mpo_ipfw_tcpkeepalive;
 
 	/*
 	 * Labeling event operations: processes.