cvs commit: src/sys/contrib/pf/net pf.c src/sys/modules/ipfw
Makefile src/sys/modules/pf Makefile src/sys/netinet ip_fw2.c
src/sys/security/mac mac_inet.c src/sys/security/mac_biba
mac_biba.c src/sys/security/mac_lomac mac_lomac.c ...
Christian S.J. Peron
csjp at FreeBSD.org
Mon Sep 11 21:25:21 PDT 2006
csjp 2006-09-12 04:25:13 UTC
FreeBSD src repository
Modified files:
sys/contrib/pf/net pf.c
sys/modules/ipfw Makefile
sys/modules/pf Makefile
sys/netinet ip_fw2.c
sys/security/mac mac_inet.c
sys/security/mac_biba mac_biba.c
sys/security/mac_lomac mac_lomac.c
sys/security/mac_mls mac_mls.c
sys/sys mac.h mac_policy.h
Log:
Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch
introduced a number of entry points which were programmatically
equivalent. So I introduced only one. Instead, we should leverage
mac_create_mbuf_netlayer() which is used for similar situations,
an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1]
MFC after: 1 week
This is a RELENG_6 candidate
Revision Changes Path
1.41 +55 -0 src/sys/contrib/pf/net/pf.c
1.25 +1 -1 src/sys/modules/ipfw/Makefile
1.12 +1 -1 src/sys/modules/pf/Makefile
1.146 +20 -5 src/sys/netinet/ip_fw2.c
1.2 +10 -0 src/sys/security/mac/mac_inet.c
1.94 +12 -0 src/sys/security/mac_biba/mac_biba.c
1.40 +12 -0 src/sys/security/mac_lomac/mac_lomac.c
1.77 +12 -0 src/sys/security/mac_mls/mac_mls.c
1.71 +1 -0 src/sys/sys/mac.h
1.75 +3 -0 src/sys/sys/mac_policy.h
More information about the cvs-src
mailing list