When packets pass in and out of six-to-four (STF) tunnels, perform

labeling checks and operations as with other network interfaces.
Eventually, if it proves desirable, we might want to offer special
casing of this or other tunnel interfaces where we have an existing
label of interest, rather than treating it as though it's an
entirely fresh mbuf in the incoming/outgoing encapsulation directions.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

sys/net/if_stf.c

@@ -76,11 +76,13 @@
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/errno.h>
 #include <sys/kernel.h>
@@ -355,6 +357,15 @@ stf_output(ifp, m, dst, rt)
 	struct ip *ip;
 	struct ip6_hdr *ip6;
 	struct in6_ifaddr *ia6;
+#ifdef MAC
+	int error;
+
+	error = mac_check_ifnet_transmit(ifp, m);
+	if (error) {
+		m_freem(m);
+		return (error);
+	}
+#endif
 
 	sc = (struct stf_softc*)ifp;
 	dst6 = (struct sockaddr_in6 *)dst;
@@ -613,6 +624,10 @@ in_stf_input(m, off)
 
 	ifp = &sc->sc_if;
 
+#ifdef MAC
+	mac_create_mbuf_from_ifnet(ifp, m);
+#endif
+
 	/*
 	 * perform sanity check against outer src/dst.
 	 * for source, perform ingress filter as well.