diff options
| author | rwatson <rwatson@FreeBSD.org> | 2007-10-28 17:12:48 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2007-10-28 17:12:48 +0000 |
| commit | 369fd04f480478bfb9d2cb1566ec0189185a020e (patch) | |
| tree | 538321b7fe182a0082beacd5d1ff13b9d63f3fca /sys/security/mac/mac_policy.h | |
| parent | 6b31aa449ccb86216e7b0fbfdaf1540f5cf34e82 (diff) | |
| download | FreeBSD-src-369fd04f480478bfb9d2cb1566ec0189185a020e.zip FreeBSD-src-369fd04f480478bfb9d2cb1566ec0189185a020e.tar.gz | |
Continue to move from generic network entry points in the TrustedBSD MAC
Framework by moving from mac_mbuf_create_netlayer() to more specific
entry points for specific network services:
- mac_netinet_firewall_reply() to be used when replying to in-bound TCP
segments in pf and ipfw (etc).
- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and
add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite
a label in place, but in others we apply the label to a new mbuf.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac/mac_policy.h')
| -rw-r--r-- | sys/security/mac/mac_policy.h | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 7b606b5..8f26818 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -225,9 +225,6 @@ typedef void (*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel); -typedef void (*mpo_mbuf_create_netlayer_t)(struct mbuf *m, - struct label *mlabel, struct mbuf *mnew, - struct label *mnewlabel); typedef void (*mpo_mbuf_destroy_label_t)(struct label *label); typedef int (*mpo_mbuf_init_label_t)(struct label *label, int flag); @@ -245,12 +242,18 @@ typedef void (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp, typedef void (*mpo_netinet_arp_send_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); +typedef void (*mpo_netinet_firewall_reply_t)(struct mbuf *mrecv, + struct label *mrecvlabel, struct mbuf *msend, + struct label *msendlabel); typedef void (*mpo_netinet_firewall_send_t)(struct mbuf *m, struct label *mlabel); typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel); -typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *m, +typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *mrecv, + struct label *mrecvlabel, struct mbuf *msend, + struct label *msendlabel); +typedef void (*mpo_netinet_icmp_replyinplace_t)(struct mbuf *m, struct label *mlabel); typedef void (*mpo_netinet_igmp_send_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, @@ -690,7 +693,6 @@ struct mac_policy_ops { mpo_mbuf_copy_label_t mpo_mbuf_copy_label; mpo_mbuf_create_multicast_encap_t mpo_mbuf_create_multicast_encap; - mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer; mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; mpo_mbuf_init_label_t mpo_mbuf_init_label; @@ -702,9 +704,11 @@ struct mac_policy_ops { mpo_netatalk_aarp_send_t mpo_netatalk_aarp_send; mpo_netinet_arp_send_t mpo_netinet_arp_send; + mpo_netinet_firewall_reply_t mpo_netinet_firewall_reply; mpo_netinet_firewall_send_t mpo_netinet_firewall_send; mpo_netinet_fragment_t mpo_netinet_fragment; mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply; + mpo_netinet_icmp_replyinplace_t mpo_netinet_icmp_replyinplace; mpo_netinet_igmp_send_t mpo_netinet_igmp_send; mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply; |
