PSARC/2008/252 Labeled IPsec phase 1

6886771 Labeled IPsec phase 1
6808727 Alignment error panic in tsol_can_accept_raw()
6894979 nightly -0 + -p builds then destroys SUNW0on

4 files changed, 20 insertions, 4 deletions

diff --git a/usr/src/uts/common/sys/policy.h b/usr/src/uts/common/sys/policy.h
index 4109deda85..8613aa44bf 100644
--- a/usr/src/uts/common/sys/policy.h
+++ b/usr/src/uts/common/sys/policy.h
@@ -112,6 +112,7 @@ int secpolicy_net_bindmlp(const cred_t *);
 int secpolicy_net_config(const cred_t *, boolean_t);
 int secpolicy_net_icmpaccess(const cred_t *);
 int secpolicy_net_mac_aware(const cred_t *);
+int secpolicy_net_mac_implicit(const cred_t *);
 int secpolicy_net_observability(const cred_t *);
 int secpolicy_net_privaddr(const cred_t *, in_port_t, int proto);
 int secpolicy_net_rawaccess(const cred_t *);
diff --git a/usr/src/uts/common/sys/socket.h b/usr/src/uts/common/sys/socket.h
index bdab5880bd..435c43225d 100644
--- a/usr/src/uts/common/sys/socket.h
+++ b/usr/src/uts/common/sys/socket.h
@@ -176,6 +176,7 @@ struct so_snd_bufinfo {
 #define	SCM_TIMESTAMP	SO_TIMESTAMP	/* socket control message timestamp */
 #define	SO_ALLZONES	0x1014		/* bind in all zones */
 #define	SO_EXCLBIND	0x1015		/* exclusive binding */
+#define	SO_MAC_IMPLICIT	0x1016		/* hide mac labels on wire */
 
 #ifdef	_KERNEL
 #define	SO_SRCADDR	0x2001		/* Internal: AF_UNIX source address */
diff --git a/usr/src/uts/common/sys/tsol/label.h b/usr/src/uts/common/sys/tsol/label.h
index d048315ac1..5845c92dc4 100644
--- a/usr/src/uts/common/sys/tsol/label.h
+++ b/usr/src/uts/common/sys/tsol/label.h
@@ -103,7 +103,21 @@ typedef	struct ts_label_s {
 
 #define	DEFAULT_DOI 1
 
-#define	TSLF_UNLABELED	0x00000001	/* peer is unlabeled */
+/*
+ * TSLF_UNLABELED is set in tsl_flags for  packets with no explicit label
+ * when the peer is unlabeled.
+ *
+ * TSLF_IMPLICIT_IN is set when a packet is received with no explicit label
+ * from a peer which is flagged in the tnrhdb as label-aware.
+ *
+ * TSLF_IMPLICIT_OUT is set when the packet should be sent without an
+ * explict label even if the peer or next-hop router is flagged in the
+ * tnrhdb as label-aware.
+ */
+
+#define	TSLF_UNLABELED		0x00000001	/* peer is unlabeled */
+#define	TSLF_IMPLICIT_IN	0x00000002	/* inbound implicit */
+#define	TSLF_IMPLICIT_OUT	0x00000004	/* outbound implicit */
 
 #define	CR_SL(cr)	(label2bslabel(crgetlabel(cr)))
 
diff --git a/usr/src/uts/common/sys/tsol/tnet.h b/usr/src/uts/common/sys/tsol/tnet.h
index 802b90c67d..221f4c775a 100644
--- a/usr/src/uts/common/sys/tsol/tnet.h
+++ b/usr/src/uts/common/sys/tsol/tnet.h
@@ -46,15 +46,15 @@ extern "C" {
 
 extern int tsol_tnrh_chk(tsol_tpent_t *, bslabel_t *, int);
 extern tsol_tnrhc_t *find_rhc(const void *, uchar_t, boolean_t);
-extern int tsol_check_dest(const cred_t *, const void *, uchar_t, boolean_t,
+extern int tsol_check_dest(const cred_t *, const void *, uchar_t, uint_t,
     cred_t **);
 extern int tsol_compute_label(const cred_t *, ipaddr_t, uchar_t *,
     ip_stack_t *);
 extern int tsol_compute_label_v6(const cred_t *, const in6_addr_t *, uchar_t *,
     ip_stack_t *);
-extern int tsol_check_label(const cred_t *, mblk_t **, boolean_t,
+extern int tsol_check_label(const cred_t *, mblk_t **, uint_t,
     ip_stack_t *, pid_t);
-extern int tsol_check_label_v6(const cred_t *, mblk_t **, boolean_t,
+extern int tsol_check_label_v6(const cred_t *, mblk_t **, uint_t,
     ip_stack_t *, pid_t);
 extern int tsol_prepend_option(uchar_t *, ipha_t *, int);
 extern int tsol_prepend_option_v6(uchar_t *, ip6_t *, int);