diff options
author | rwatson <rwatson@FreeBSD.org> | 2007-10-28 17:12:48 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2007-10-28 17:12:48 +0000 |
commit | 369fd04f480478bfb9d2cb1566ec0189185a020e (patch) | |
tree | 538321b7fe182a0082beacd5d1ff13b9d63f3fca /sys/security/mac/mac_inet.c | |
parent | 6b31aa449ccb86216e7b0fbfdaf1540f5cf34e82 (diff) | |
download | FreeBSD-src-369fd04f480478bfb9d2cb1566ec0189185a020e.zip FreeBSD-src-369fd04f480478bfb9d2cb1566ec0189185a020e.tar.gz |
Continue to move from generic network entry points in the TrustedBSD MAC
Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:
- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
segments in pf and ipfw (etc).
- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
a label in place, but in others we apply the label to a new mbuf.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac/mac_inet.c')
-rw-r--r-- | sys/security/mac/mac_inet.c | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 22c134f..6533cf0 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -234,13 +234,25 @@ mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m) } void -mac_netinet_icmp_reply(struct mbuf *m) +mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend) +{ + struct label *mrecvlabel, *msendlabel; + + mrecvlabel = mac_mbuf_to_label(mrecv); + msendlabel = mac_mbuf_to_label(msend); + + MAC_PERFORM(netinet_icmp_reply, mrecv, mrecvlabel, msend, + msendlabel); +} + +void +mac_netinet_icmp_replyinplace(struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(netinet_icmp_reply, m, label); + MAC_PERFORM(netinet_icmp_replyinplace, m, label); } void @@ -300,6 +312,21 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) } void +mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend) +{ + struct label *mrecvlabel, *msendlabel; + + M_ASSERTPKTHDR(mrecv); + M_ASSERTPKTHDR(msend); + + mrecvlabel = mac_mbuf_to_label(mrecv); + msendlabel = mac_mbuf_to_label(msend); + + MAC_PERFORM(netinet_firewall_reply, mrecv, mrecvlabel, msend, + msendlabel); +} + +void mac_netinet_firewall_send(struct mbuf *m) { struct label *label; |