summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/conntrack/api.c3
-rw-r--r--src/conntrack/compare.c10
-rw-r--r--src/conntrack/copy.c9
-rw-r--r--src/conntrack/getter.c6
-rw-r--r--src/conntrack/parse.c17
-rw-r--r--src/conntrack/setter.c1
-rw-r--r--src/conntrack/snprintf_default.c11
-rw-r--r--src/conntrack/snprintf_xml.c6
8 files changed, 63 insertions, 0 deletions
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index 7a5767b..8e5b2fe 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -90,6 +90,8 @@ void nfct_destroy(struct nf_conntrack *ct)
{
assert(ct != NULL);
free(ct);
+ if (ct->secctx)
+ free(ct->secctx);
ct = NULL; /* bugtrap */
}
@@ -353,6 +355,7 @@ void nfct_callback_unregister2(struct nfct_handle *h)
* - ATTR_USE
* - ATTR_ID
* - ATTR_*_COUNTER_*
+ * - ATTR_SECCTX
* The call of this function for such attributes do nothing.
*/
void nfct_set_attr(struct nf_conntrack *ct,
diff --git a/src/conntrack/compare.c b/src/conntrack/compare.c
index 134cefd..1cdad1c 100644
--- a/src/conntrack/compare.c
+++ b/src/conntrack/compare.c
@@ -368,6 +368,14 @@ cmp_zone(const struct nf_conntrack *ct1,
return (ct1->zone == ct2->zone);
}
+static int
+cmp_secctx(const struct nf_conntrack *ct1,
+ const struct nf_conntrack *ct2,
+ unsigned int flags)
+{
+ return strcmp(ct1->secctx, ct2->secctx) == 0;
+}
+
static int cmp_meta(const struct nf_conntrack *ct1,
const struct nf_conntrack *ct2,
unsigned int flags)
@@ -388,6 +396,8 @@ static int cmp_meta(const struct nf_conntrack *ct1,
return 0;
if (!__cmp(ATTR_ZONE, ct1, ct2, flags, cmp_zone))
return 0;
+ if (!__cmp(ATTR_SECCTX, ct1, ct2, flags, cmp_secctx))
+ return 0;
return 1;
}
diff --git a/src/conntrack/copy.c b/src/conntrack/copy.c
index 8d8a6b7..9148640 100644
--- a/src/conntrack/copy.c
+++ b/src/conntrack/copy.c
@@ -415,6 +415,14 @@ static void copy_attr_zone(struct nf_conntrack *dest,
dest->zone = orig->zone;
}
+static void copy_attr_secctx(struct nf_conntrack *dest,
+ const struct nf_conntrack *orig)
+{
+ if (dest->secctx)
+ free(dest->secctx);
+ dest->secctx = strdup(orig->secctx);
+}
+
const copy_attr copy_attr_array[ATTR_MAX] = {
[ATTR_ORIG_IPV4_SRC] = copy_attr_orig_ipv4_src,
[ATTR_ORIG_IPV4_DST] = copy_attr_orig_ipv4_dst,
@@ -478,4 +486,5 @@ const copy_attr copy_attr_array[ATTR_MAX] = {
[ATTR_TCP_WSCALE_ORIG] = copy_attr_tcp_wscale_orig,
[ATTR_TCP_WSCALE_REPL] = copy_attr_tcp_wscale_repl,
[ATTR_ZONE] = copy_attr_zone,
+ [ATTR_SECCTX] = copy_attr_secctx,
};
diff --git a/src/conntrack/getter.c b/src/conntrack/getter.c
index 056fe8a..8a093c6 100644
--- a/src/conntrack/getter.c
+++ b/src/conntrack/getter.c
@@ -317,6 +317,11 @@ static const void *get_attr_zone(const struct nf_conntrack *ct)
return &ct->zone;
}
+static const void *get_attr_secctx(const struct nf_conntrack *ct)
+{
+ return ct->secctx;
+}
+
const get_attr get_attr_array[ATTR_MAX] = {
[ATTR_ORIG_IPV4_SRC] = get_attr_orig_ipv4_src,
[ATTR_ORIG_IPV4_DST] = get_attr_orig_ipv4_dst,
@@ -380,4 +385,5 @@ const get_attr get_attr_array[ATTR_MAX] = {
[ATTR_TCP_WSCALE_ORIG] = get_attr_tcp_wscale_orig,
[ATTR_TCP_WSCALE_REPL] = get_attr_tcp_wscale_repl,
[ATTR_ZONE] = get_attr_zone,
+ [ATTR_SECCTX] = get_attr_secctx,
};
diff --git a/src/conntrack/parse.c b/src/conntrack/parse.c
index 64e6e93..841693e 100644
--- a/src/conntrack/parse.c
+++ b/src/conntrack/parse.c
@@ -422,6 +422,20 @@ __parse_helper(const struct nfattr *attr, struct nf_conntrack *ct)
set_bit(ATTR_HELPER_NAME, ct->set);
}
+static void
+__parse_secctx(const struct nfattr *attr, struct nf_conntrack *ct)
+{
+ struct nfattr *tb[CTA_SECCTX_MAX];
+
+ nfnl_parse_nested(tb, CTA_SECCTX_MAX, attr);
+ if (!tb[CTA_SECCTX_NAME-1])
+ return;
+
+ ct->secctx = strdup(NFA_DATA(tb[CTA_SECCTX-1]));
+ if (ct->secctx)
+ set_bit(ATTR_SECCTX, ct->set);
+}
+
int __parse_message_type(const struct nlmsghdr *nlh)
{
u_int16_t type = NFNL_MSG_TYPE(nlh->nlmsg_type);
@@ -521,4 +535,7 @@ void __parse_conntrack(const struct nlmsghdr *nlh,
ct->zone = ntohs(*(u_int16_t *)NFA_DATA(cda[CTA_ZONE-1]));
set_bit(ATTR_ZONE, ct->set);
}
+
+ if (cda[CTA_SECCTX-1])
+ __parse_secctx(cda[CTA_SECCTX-1], ct);
}
diff --git a/src/conntrack/setter.c b/src/conntrack/setter.c
index 0f907ab..99ac8d7 100644
--- a/src/conntrack/setter.c
+++ b/src/conntrack/setter.c
@@ -410,4 +410,5 @@ const set_attr set_attr_array[ATTR_MAX] = {
[ATTR_TCP_WSCALE_ORIG] = set_attr_tcp_wscale_orig,
[ATTR_TCP_WSCALE_REPL] = set_attr_tcp_wscale_repl,
[ATTR_ZONE] = set_attr_zone,
+ [ATTR_SECCTX] = set_attr_do_nothing,
};
diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c
index 4a61f8a..abb9d9f 100644
--- a/src/conntrack/snprintf_default.c
+++ b/src/conntrack/snprintf_default.c
@@ -225,6 +225,12 @@ __snprintf_zone(char *buf, unsigned int len, const struct nf_conntrack *ct)
return (snprintf(buf, len, "zone=%u ", ct->zone));
}
+static int
+__snprintf_secctx(char *buf, unsigned int len, const struct nf_conntrack *ct)
+{
+ return (snprintf(buf, len, "secctx=%s ", ct->secctx));
+}
+
int __snprintf_conntrack_default(char *buf,
unsigned int len,
const struct nf_conntrack *ct,
@@ -321,6 +327,11 @@ int __snprintf_conntrack_default(char *buf,
BUFFER_SIZE(ret, size, len, offset);
}
+ if (test_bit(ATTR_SECCTX, ct->set)) {
+ ret = __snprintf_secctx(buf+offset, len, ct);
+ BUFFER_SIZE(ret, size, len, offset);
+ }
+
if (test_bit(ATTR_ZONE, ct->set)) {
ret = __snprintf_zone(buf+offset, len, ct);
BUFFER_SIZE(ret, size, len, offset);
diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c
index cc588ee..97f6650 100644
--- a/src/conntrack/snprintf_xml.c
+++ b/src/conntrack/snprintf_xml.c
@@ -345,6 +345,12 @@ int __snprintf_conntrack_xml(char *buf,
BUFFER_SIZE(ret, size, len, offset);
}
+ if (test_bit(ATTR_SECCTX, ct->set)) {
+ ret = snprintf(buf+offset, len,
+ "<secctx>%s</secctx>", ct->secctx);
+ BUFFER_SIZE(ret, size, len, offset);
+ }
+
if (test_bit(ATTR_ZONE, ct->set)) {
ret = snprintf(buf+offset, len, "<zone>%u</zone>", ct->zone);
BUFFER_SIZE(ret, size, len, offset);