Cross Reference: /illumos-gate/usr/src/uts/common/inet/ip/tnet.c

Lines Matching refs:label
52 #include <sys/tsol/label.h>
616  * Assign a sensitivity label to inbound traffic which arrived without
617  * an explicit on-the-wire label.
620  * a label are at the most sensitive label known for the host, most
643  * Converts CIPSO option to sensitivity label.
668  * If present, parse the CIPSO label in the incoming packet and
669  * construct a ts_label_t that reflects the CIPSO label and put it in
671  * code that needs to examine the packet label can inspect the label
674  * to be forwarded packets. The forwarding path needs to examine the label
690 	uint32_t	label_flags = 0; /* flags to set in label */
719 		 * Convert the CIPSO label to the internal format
793 		 * Look up the tnrhtp database and get the implicit label
801 		 * If peer is label-aware, mark as "implicit" rather than
844 	 * Put the label in ira_tsl for convinience, while keeping
860  * It does a range/set check on the packet's label by looking up the given
871 	const bslabel_t *label, *conn_label;
901 	label = label2bslabel(plabel);
906 	 * Implicitly labeled packets from label-aware sources
932 	 * different rules.  If the label is equal to the zone's label, then
934 	 * zone or the label is dominated by the zone's label, then allow it
939 		    blequal(label, conn_label))
945 		    !bldominates(conn_label, label)))) {
956 	 * label on the packet matches the connection label.
960 		    !blequal(label, conn_label)) {
963 			    "packet mp(1) failed label match to SLP conn(2)",
970 		 * the interface ensures the zone's label is within the zone-
971 		 * specific address's valid label range; (2) For cases where
975 		 * cases where the zone label may not be the same as the
976 		 * conn label.
993 	 * assume that the packet should not have had a label, and thus should
1014 	} else if (!_blinrange(label, &tp->tpc_tp.tp_sl_range_cipso) &&
1015 	    !blinlset(label, tp->tpc_tp.tp_sl_set_cipso)) {
1070 	 * Check that the packet's label is in the correct range for labeled
1071 	 * sender, or is equal to the default label for unlabeled sender.
1115  * If tsol_strict_error is set, then we do strict tests: if the packet label is
1116  * within the label range/set of this host/zone, return B_TRUE; otherwise
1120  * marked as labeled in the remote host database, but the packet lacks a label.
1151 		    "unresolved security label sl(2)",
1171 		 * packets through only if the default label is the same, and
1220 	ts_label_t *label;
1222 	if ((label = ira->ira_tsl) != NULL) {
1223 		zone = zone_find_by_label(label);
1252 	 * If we don't have a label to compare with, or the IRE does not
1263 			    "label(2)", ire_t *, ire, ts_label_t *, tsl);
1361 			    "ire(1), label(2) off-link with no gw_rhc",
1373 		 * security credentials to compare against the passed in label.
1374 		 * Perform label range comparison against each security
1393 		 * label range checks, if we are required to do so.
1445  * Performs label accreditation checks for packet forwarding.
1523 		    "security label sl(2)",
1582 	 * Check that the label for the packet is acceptable
1593 			    "labeled packet mp(1) dropped, label(2) fails "
1608 			    "unlabeled packet mp(1) dropped, label(2) fails "
1619 		 * We keep the label on any of the following cases:
1766 	 * previously added (if any) or just removed, since label
2052 	const bslabel_t *label;
2081 		label = label2bslabel(plabel);
2086 	 * If it's a CIPSO zone specific address, the zone's label
2101 	    (_blinrange(label, &tp->tpc_tp.tp_sl_range_cipso) ||
2102 	    blinlset(label, tp->tpc_tp.tp_sl_set_cipso))))))) {
2141 		cmn_err(CE_NOTE, "%s failed: zone %s label incompatible with "
2143 		tsol_print_label(label, "zone label");