36,38c36,40 < to all packets with IP addresses local to the system, which includes < interzone and intrazone traffic. To provide access to the packets we will < add hooks into the ip module which will call our callback function. --- > to all packets sent and received by IP on a network interface. For instance, > /dev/ipnet/bge0 will provide observability to packets sent and received by > IP on bge0 subject to the zone restrictions specified below. To provide > access to the packets we will add hooks into the ip module which will call > our callback function. 156c158,160 < addresses assigned to the interface OR, --- > addresses assigned to the interface AND the consumer is > in the global zone or in a non-global zone to which the packet is > destined OR, 160,161c164 < in the global zone or in a non-global zone to which the packet is < destined. --- > in the global zone. 179c182,183 < and therefore is not a new concern. --- > and therefore is not a new concern. Broadcast traffic will be seen as > expected. 196a201,216 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | vers | type | len | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | pad | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | | > + srczone + > | | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | | > + dstzone + > | | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > and in C expressed as: > 200a221 > uint32_t dli_pad; /* Padding for alignment */ 296c317 < PRIV_NET_OBSERVABILITY. This will just allow access to the ipnet devices --- > PRIV_IP_OBSERVABILITY. This will just allow access to the ipnet devices 309,311c330,332 < privileges. As an example of how this privilege might be refined, there < could be separate privileges for observing intrazone, interzone, and < inter-machine traffic. However, for now we plan on keeping one high level --- > privileges. As an example of how this privilege might be refined, there > could be separate privileges for observing intrazone, interzone, and > inter-machine traffic. However, for now we plan on keeping one high level 313a335,340 > Given that Trusted Extensions architecture is built upon zones it is clear > that the ipnet architecture must also respect labelling information if the > trusted extensions facility is being used. Where hooks are placed we check > whether the system is lableled and if it is check what the zoneid should be > based on the labelling information. > 319c346 < register with the ip module by calling ip_register_cb() and passing in a --- > register with the ip module by calling ips_register_hook() and passing in a 328c355 < with the ip module by calling ip_unregister_cb(). --- > with the ip module by calling ips_unregister_hook(). 369a397,403 > Essentially the main changes needed to be made to libpcap are adding support > for a decode function for the new DL_IPNET header format and support for the > new DL_IOC_IPNETINFO ioctl. The common use case will be that > DL_IOC_IPNETINFO will be issued so that the DL_IPNET ancillary header will > be passed up by default. The data contained in the ancillary header will > make diagnosibility of certain problems much easier. > 385,387c419,421 < ip_register_cb() Project Private inet/ip.h < ip_unregister_cb() Project Private inet/ip.h < PRIV_NET_OBSERVABILITY Committed sys/priv_names.h --- > ips_register_hook() Project Private inet/ip.h > ips_unregister_hook() Project Private inet/ip.h > PRIV_IP_OBSERVABILITY Committed sys/priv_names.h 406c440 < PRIV_NET_OBSERVABILITY privilege.The proposed content of the man pages is --- > PRIV_IP_OBSERVABILITY privilege.The proposed content of the man pages is 466,468c500,501 < The DLIOCRAW ioctl is supported and puts the stream into raw mode, < which upon receive causes the full MAC-level packet to be sent < upstream in an M_DATA packet. --- > The DLIOCRAW ioctl is supported but has no effect on the data > returned from the device. 641c674 < + PRIV_NET_OBSERVABILITY --- > + PRIV_IP_OBSERVABILITY 742d774 <