Date: Sun, 18 Jun 2006 00:08:48 +0200 From: Max Laier <max@love2party.net> To: trustedbsd-discuss@freebsd.org Cc: zhouyi zhou <zhouyi04@ios.cn> Subject: Re: MAC Framework has confict with IP firewall Message-ID: <200606180008.53676.max@love2party.net> In-Reply-To: <200606172359.13019.max@love2party.net> References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606172359.13019.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1636735.IqntMIT3q6 Content-Type: multipart/mixed; boundary="Boundary-01=_x1HlEKdGwm5/Vvh" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_x1HlEKdGwm5/Vvh Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 17 June 2006 23:59, Max Laier wrote: > On Monday 27 March 2006 12:41, zhouyi zhou wrote: > > MAC Framework has conflict with IP firewall > > because in function ipfw_tick of file ip_fw2.c, the mbuf is created > > without MAC label being initialized and send directly to ip_output. > > Christian Brueffer made me aware of this problem. Here is what we believe > should work as a temporary workaround to this problem. The final solution > would involve assigning a label with firewall states (derived from the > packet that creates the state) and then using this label for the mbuf > created for keepalives etc. > > The attached modifies biba, lomac and mls. Retry with different Content-Type. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_x1HlEKdGwm5/Vvh Content-Type: text/plain; charset="iso-8859-6"; name="mac_firewall.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="mac_firewall.diff" =2D-- //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf.c 2006/02/11 13= :33:00 +++ //depot/user/mlaier/trustedbsd/mac/sys/contrib/pf/net/pf.c 2006/06/17 1= 8:31:00 @@ -44,6 +44,7 @@ #ifdef __FreeBSD__ #include "opt_bpf.h" #include "opt_pf.h" +#include "opt_mac.h" =20 #ifdef DEV_BPF #define NBPFILTER DEV_BPF @@ -78,6 +79,7 @@ #include <sys/kernel.h> #include <sys/time.h> #ifdef __FreeBSD__ +#include <sys/mac.h> #include <sys/sysctl.h> #include <sys/endian.h> #else @@ -192,7 +194,12 @@ struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t *, u_int16_t *, u_int16_t *, u_int16_t *, u_int8_t, sa_family_t); +#ifdef __FreeBSD__ +void pf_send_tcp(struct mbuf *, + const struct pf_rule *, sa_family_t, +#else void pf_send_tcp(const struct pf_rule *, sa_family_t, +#endif const struct pf_addr *, const struct pf_addr *, u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, @@ -1114,7 +1121,11 @@ cur->local_flags |=3D PFSTATE_EXPIRING; #endif if (cur->src.state =3D=3D PF_TCPS_PROXY_DST) +#ifdef __FreeBSD__ + pf_send_tcp(NULL, cur->rule.ptr, cur->af, +#else pf_send_tcp(cur->rule.ptr, cur->af, +#endif &cur->ext.addr, &cur->lan.addr, cur->ext.port, cur->lan.port, cur->src.seqhi, cur->src.seqlo + 1, @@ -1574,7 +1585,11 @@ } =20 void +#ifdef __FreeBSD__ +pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, +#else pf_send_tcp(const struct pf_rule *r, sa_family_t af, +#endif const struct pf_addr *saddr, const struct pf_addr *daddr, u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag, @@ -1613,6 +1628,16 @@ m =3D m_gethdr(M_DONTWAIT, MT_HEADER); if (m =3D=3D NULL) return; +#ifdef __FreeBSD__ +#ifdef MAC + if (replyto) + mac_firewall_tcpreflect(replyto, m); + else + mac_firewall_tcpproxy(m); +#else + (void)replyto; +#endif +#endif if (tag) { #ifdef __FreeBSD__ m->m_flags |=3D M_SKIP_FIREWALL; @@ -3146,7 +3171,11 @@ ack++; if (th->th_flags & TH_FIN) ack++; +#ifdef __FreeBSD__ + pf_send_tcp(m, r, af, pd->dst, +#else pf_send_tcp(r, af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, r->return_ttl, 1, pd->eh, kif->pfik_ifp); @@ -3347,7 +3376,11 @@ mss =3D pf_calc_mss(saddr, af, mss); mss =3D pf_calc_mss(daddr, af, mss); s->src.mss =3D mss; +#ifdef __FreeBSD__ + pf_send_tcp(NULL, r, af, daddr, saddr, th->th_dport, +#else pf_send_tcp(r, af, daddr, saddr, th->th_dport, +#endif th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, NULL, NULL); REASON_SET(&reason, PFRES_SYNPROXY); @@ -4348,7 +4381,11 @@ REASON_SET(reason, PFRES_SYNPROXY); return (PF_DROP); } +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, +#else pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, (*state)->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, @@ -4387,7 +4424,12 @@ (*state)->src.max_win =3D MAX(ntohs(th->th_win), 1); if ((*state)->dst.seqhi =3D=3D 1) (*state)->dst.seqhi =3D htonl(arc4random()); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, + &src->addr, +#else pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, +#endif &dst->addr, src->port, dst->port, (*state)->dst.seqhi, 0, TH_SYN, 0, (*state)->src.mss, 0, 0, NULL, NULL); @@ -4401,12 +4443,21 @@ } else { (*state)->dst.max_win =3D MAX(ntohs(th->th_win), 1); (*state)->dst.seqlo =3D ntohl(th->th_seq); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, +#else pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ntohl(th->th_seq) + 1, TH_ACK, (*state)->src.max_win, 0, 0, 0, NULL, NULL); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, + &src->addr, +#else pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, +#endif &dst->addr, src->port, dst->port, (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, TH_ACK, (*state)->dst.max_win, 0, 0, 1, @@ -4685,7 +4736,11 @@ (*state)->src.state =3D=3D TCPS_SYN_SENT) { /* Send RST for state mismatches during handshake */ if (!(th->th_flags & TH_RST)) +#ifdef __FreeBSD__ + pf_send_tcp(m, (*state)->rule.ptr, pd->af, +#else pf_send_tcp((*state)->rule.ptr, pd->af, +#endif pd->dst, pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), 0, TH_RST, 0, 0, =2D-- //depot/projects/trustedbsd/mac/sys/modules/ipfw/Makefile 2006/03/20 = 19:47:17 +++ //depot/user/mlaier/trustedbsd/mac/sys/modules/ipfw/Makefile 2006/06/17= 21:22:14 @@ -6,7 +6,7 @@ =20 KMOD=3D ipfw SRCS=3D ip_fw2.c ip_fw_pfil.c =2DSRCS+=3D opt_inet6.h opt_ipsec.h +SRCS+=3D opt_inet6.h opt_ipsec.h opt_mac.h =20 CFLAGS+=3D -DIPFIREWALL # =2D-- //depot/projects/trustedbsd/mac/sys/modules/pf/Makefile 2006/03/20 19= :47:17 +++ //depot/user/mlaier/trustedbsd/mac/sys/modules/pf/Makefile 2006/06/17 2= 1:22:14 @@ -8,7 +8,7 @@ KMOD=3D pf SRCS =3D pf.c pf_if.c pf_subr.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c= \ in4_cksum.c \ =2D opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h + opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h =20 CFLAGS+=3D -I${.CURDIR}/../../contrib/pf =20 =2D-- //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c 2006/03/08 21:28= :14 +++ //depot/user/mlaier/trustedbsd/mac/sys/netinet/ip_fw2.c 2006/06/17 21:2= 2:14 @@ -43,6 +43,7 @@ #endif #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" =20 #include <sys/param.h> #include <sys/systm.h> @@ -52,6 +53,7 @@ #include <sys/kernel.h> #include <sys/lock.h> #include <sys/jail.h> +#include <sys/mac.h> #include <sys/module.h> #include <sys/proc.h> #include <sys/rwlock.h> @@ -1524,9 +1526,12 @@ * When flags & TH_RST, we are sending a RST packet, because of a * "reset" action matched the packet. * Otherwise we are sending a keepalive, and flags & TH_ + * The 'replyto' mbuf is the mbuf being replied to, if any, and is required + * so that MAC can label the reply appropriately. */ static struct mbuf * =2Dsend_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flag= s) +send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, + u_int32_t ack, int flags) { struct mbuf *m; struct ip *ip; @@ -1536,6 +1541,16 @@ if (m =3D=3D 0) return (NULL); m->m_pkthdr.rcvif =3D (struct ifnet *)0; + +#ifdef MAC + if (replyto !=3D NULL) + mac_firewall_tcpreflect(replyto, m); + else + mac_firewall_tcpkeepalive(m); +#else + (void)replyto; /* don't warn about unused arg */ +#endif + m->m_pkthdr.len =3D m->m_len =3D sizeof(struct ip) + sizeof(struct tcphdr= ); m->m_data +=3D max_linkhdr; =20 @@ -1620,8 +1635,8 @@ L3HDR(struct tcphdr, mtod(args->m, struct ip *)); if ( (tcp->th_flags & TH_RST) =3D=3D 0) { struct mbuf *m; =2D m =3D send_pkt(&(args->f_id), ntohl(tcp->th_seq), =2D ntohl(tcp->th_ack), + m =3D send_pkt(args->m, &(args->f_id), + ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags | TH_RST); if (m !=3D NULL) ip_output(m, NULL, NULL, 0, NULL, NULL); @@ -4082,11 +4097,11 @@ if (TIME_LEQ(q->expire, time_uptime)) continue; /* too late, rule expired */ =20 =2D *mtailp =3D send_pkt(&(q->id), q->ack_rev - 1, + *mtailp =3D send_pkt(NULL, &(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN); if (*mtailp !=3D NULL) mtailp =3D &(*mtailp)->m_nextpkt; =2D *mtailp =3D send_pkt(&(q->id), q->ack_fwd - 1, + *mtailp =3D send_pkt(NULL, &(q->id), q->ack_fwd - 1, q->ack_rev, 0); if (*mtailp !=3D NULL) mtailp =3D &(*mtailp)->m_nextpkt; =2D-- //depot/projects/trustedbsd/mac/sys/security/mac/mac_inet.c 2004/11/0= 8 17:24:02 +++ //depot/user/mlaier/trustedbsd/mac/sys/security/mac/mac_inet.c 2006/06/= 17 19:55:19 @@ -309,3 +309,41 @@ INP_LOCK_ASSERT(inp); MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); } + +void +mac_firewall_tcpreflect(struct mbuf *from, struct mbuf *to) +{ + struct label *fromlabel, *tolabel; + + M_ASSERTPKTHDR(from); + M_ASSERTPKTHDR(to); + + fromlabel =3D mac_mbuf_to_label(from); + tolabel =3D mac_mbuf_to_label(to); + + MAC_PERFORM(firewall_tcpreflect, from, fromlabel, to, tolabel); +} + +void +mac_firewall_tcpkeepalive(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label =3D mac_mbuf_to_label(m); + + MAC_PERFORM(firewall_tcpkeepalive, m, label); +} + +void +mac_firewall_tcpproxy(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label =3D mac_mbuf_to_label(m); + + MAC_PERFORM(firewall_tcpproxy, m, label); +} =2D-- //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c 2006= /02/11 13:33:00 +++ //depot/user/mlaier/trustedbsd/mac/sys/security/mac_biba/mac_biba.c 200= 6/06/17 21:07:55 @@ -1450,6 +1450,40 @@ mac_biba_copy(source, dest); } =20 +static void +mac_biba_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_biba *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_biba_copy_effective(source, dest); +} + +static void +mac_biba_firewall_tcpkeepalive(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + +static void +mac_biba_firewall_tcpproxy(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -3195,6 +3229,9 @@ .mpo_relabel_ifnet =3D mac_biba_relabel_ifnet, .mpo_update_ipq =3D mac_biba_update_ipq, .mpo_inpcb_sosetlabel =3D mac_biba_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_biba_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_biba_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_biba_firewall_tcpproxy, .mpo_create_proc0 =3D mac_biba_create_proc0, .mpo_create_proc1 =3D mac_biba_create_proc1, .mpo_relabel_cred =3D mac_biba_relabel_cred, =2D-- //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c 20= 06/03/08 21:51:14 +++ //depot/user/mlaier/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c 2= 006/06/17 20:17:40 @@ -1529,6 +1529,40 @@ mac_lomac_copy_single(source, dest); } =20 +static void +mac_lomac_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_lomac *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_lomac_copy_single(source, dest); +} + +static void +mac_lomac_firewall_tcpkeepalive(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + +static void +mac_lomac_firewall_tcpproxy(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + /* * Labeling event operations: processes. */ @@ -3108,6 +3142,9 @@ .mpo_relabel_ifnet =3D mac_lomac_relabel_ifnet, .mpo_update_ipq =3D mac_lomac_update_ipq, .mpo_inpcb_sosetlabel =3D mac_lomac_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_lomac_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_lomac_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_lomac_firewall_tcpproxy, .mpo_execve_transition =3D mac_lomac_execve_transition, .mpo_execve_will_transition =3D mac_lomac_execve_will_transition, .mpo_create_proc0 =3D mac_lomac_create_proc0, =2D-- //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c 2005/1= 1/09 15:09:41 +++ //depot/user/mlaier/trustedbsd/mac/sys/security/mac_mls/mac_mls.c 2006/= 06/17 21:07:55 @@ -1382,6 +1382,40 @@ mac_mls_copy(source, dest); } =20 +static void +mac_mls_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_mls *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_mls_copy_effective(source, dest); +} + +static void +mac_mls_firewall_tcpkeepalive(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest =3D SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + +static void +mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest =3D SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -2961,6 +2995,9 @@ .mpo_relabel_ifnet =3D mac_mls_relabel_ifnet, .mpo_update_ipq =3D mac_mls_update_ipq, .mpo_inpcb_sosetlabel =3D mac_mls_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_mls_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_mls_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_mls_firewall_tcpproxy, .mpo_create_proc0 =3D mac_mls_create_proc0, .mpo_create_proc1 =3D mac_mls_create_proc1, .mpo_relabel_cred =3D mac_mls_relabel_cred, =2D-- //depot/projects/trustedbsd/mac/sys/sys/mac.h 2006/04/27 16:07:17 +++ //depot/user/mlaier/trustedbsd/mac/sys/sys/mac.h 2006/06/17 19:46:34 @@ -283,6 +283,13 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); int mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); +void mac_firewall_tcpreflect(struct mbuf *from, struct mbuf *to); +/* + * XXX: The next two should be combined to mac_mbuf_from_firewall_state if + * we'd stick labels to firewall states. Later! + */ +void mac_firewall_tcpkeepalive(struct mbuf *m); +void mac_firewall_tcpproxy(struct mbuf *m); =20 /* * Labeling event operations: processes. =2D-- //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h 2006/04/28 14:30= :05 +++ //depot/user/mlaier/trustedbsd/mac/sys/sys/mac_policy.h 2006/06/17 19:2= 3:51 @@ -328,6 +328,13 @@ typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); +typedef void (*mpo_firewall_tcpreflect_t)(struct mbuf *from, + struct label *fromlabel, struct mbuf *to, + struct label *tolabel); +typedef void (*mpo_firewall_tcpkeepalive_t)(struct mbuf *m, + struct label *label); +typedef void (*mpo_firewall_tcpproxy_t)(struct mbuf *m, + struct label *label); =20 /* * Labeling event operations: processes. @@ -748,6 +755,9 @@ mpo_update_ipq_t mpo_update_ipq; mpo_update_mbuf_from_cipso_t mpo_update_mbuf_from_cipso; mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; + mpo_firewall_tcpreflect_t mpo_firewall_tcpreflect; + mpo_firewall_tcpkeepalive_t mpo_firewall_tcpkeepalive; + mpo_firewall_tcpproxy_t mpo_firewall_tcpproxy; =20 /* * Labeling event operations: processes. --Boundary-01=_x1HlEKdGwm5/Vvh-- --nextPart1636735.IqntMIT3q6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBElH11XyyEoT62BG0RAkGYAJ0XepGJx5mC6smTRfyBClaqKoLRpwCeIe3z /KK9up/BcR29C0nY6CmYZIc= =/n7c -----END PGP SIGNATURE----- --nextPart1636735.IqntMIT3q6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606180008.53676.max>