src: add support for new secmark object

The new object will hold security context strings. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Christian Göttsche <cgzones@googlemail.com> 2018-09-28 18:21:15 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-10-09 00:12:28 +0200
commit: aaf20ad0dc22d2ebcad1b2c43288e984f0efe2c3 (patch)
tree: 7141cad025b3e3c9ef86f519ce389a498058666a /include/linux/netfilter
parent: f4621a6f870644af934869d52bf24137c76910db (diff)
1 files changed, 17 insertions, 1 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index da2c291..f2ee638 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1161,6 +1161,21 @@ enum nft_quota_attributes {
 #define NFTA_QUOTA_MAX		(__NFTA_QUOTA_MAX - 1)
 
 /**
+ * enum nft_secmark_attributes - nf_tables secmark expression netlink attributes
+ *
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING)
+ */
+enum nft_secmark_attributes {
+	NFTA_SECMARK_UNSPEC,
+	NFTA_SECMARK_CTX,
+	__NFTA_SECMARK_MAX,
+};
+#define NFTA_SECMARK_MAX	(__NFTA_SECMARK_MAX - 1)
+
+/* Max security context length */
+#define NFT_SECMARK_CTX_MAXLEN		256
+
+/**
  * enum nft_reject_types - nf_tables reject expression reject types
  *
  * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable
@@ -1416,7 +1431,8 @@ enum nft_ct_timeout_attributes {
 #define NFT_OBJECT_CONNLIMIT	5
 #define NFT_OBJECT_TUNNEL	6
 #define NFT_OBJECT_CT_TIMEOUT	7
-#define __NFT_OBJECT_MAX	8
+#define NFT_OBJECT_SECMARK	8
+#define __NFT_OBJECT_MAX	9
 #define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)
 
 /**
author	Christian Göttsche <cgzones@googlemail.com>	2018-09-28 18:21:15 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-10-09 00:12:28 +0200
commit	aaf20ad0dc22d2ebcad1b2c43288e984f0efe2c3 (patch)
tree	7141cad025b3e3c9ef86f519ce389a498058666a /include/linux/netfilter
parent	f4621a6f870644af934869d52bf24137c76910db (diff)