summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorChristian Göttsche <cgzones@googlemail.com>2018-10-15 14:18:36 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2018-10-15 14:31:18 +0200
commit3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea (patch)
tree20595642927c6c8b0ca0a684b1a350bbefd124f2 /include
parent27d8946db90b79762a36e66647bb8d8fc4c17ce9 (diff)
src: add support for setting secmark
Add support for new nft object secmark holding security context strings. The following should demonstrate its usage (based on SELinux context): # define a tag containing a context string nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\" nft list secmarks # set the secmark nft add rule inet filter input tcp dport 22 meta secmark set sshtag # map usage nft add map inet filter secmapping { type inet_service : secmark \; } nft add element inet filter secmapping { 22 : sshtag } nft list maps nft list map inet filter secmapping nft add rule inet filter input meta secmark set tcp dport map @secmapping [ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ] Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter/nf_tables.h18
-rw-r--r--include/rule.h9
2 files changed, 26 insertions, 1 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 169c2abc..4e285988 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1168,6 +1168,21 @@ enum nft_quota_attributes {
#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1)
/**
+ * enum nft_secmark_attributes - nf_tables secmark expression netlink attributes
+ *
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING)
+ */
+enum nft_secmark_attributes {
+ NFTA_SECMARK_UNSPEC,
+ NFTA_SECMARK_CTX,
+ __NFTA_SECMARK_MAX,
+};
+#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
+
+/* Max security context length */
+#define NFT_SECMARK_CTX_MAXLEN 256
+
+/**
* enum nft_reject_types - nf_tables reject expression reject types
*
* @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable
@@ -1422,7 +1437,8 @@ enum nft_ct_timeout_attributes {
#define NFT_OBJECT_CONNLIMIT 5
#define NFT_OBJECT_TUNNEL 6
#define NFT_OBJECT_CT_TIMEOUT 7
-#define __NFT_OBJECT_MAX 8
+#define NFT_OBJECT_SECMARK 8
+#define __NFT_OBJECT_MAX 9
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
/**
diff --git a/include/rule.h b/include/rule.h
index 88478aa6..9e029899 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -349,6 +349,10 @@ struct limit {
uint32_t flags;
};
+struct secmark {
+ char ctx[NFT_SECMARK_CTX_MAXLEN];
+};
+
/**
* struct obj - nftables stateful object statement
*
@@ -370,6 +374,7 @@ struct obj {
struct ct_helper ct_helper;
struct limit limit;
struct ct_timeout ct_timeout;
+ struct secmark secmark;
};
};
@@ -468,6 +473,8 @@ enum cmd_ops {
* @CMD_OBJ_LIMIT: limit
* @CMD_OBJ_LIMITS: multiple limits
* @CMD_OBJ_FLOWTABLES: flow tables
+ * @CMD_OBJ_SECMARK: secmark
+ * @CMD_OBJ_SECMARKS: multiple secmarks
*/
enum cmd_obj {
CMD_OBJ_INVALID,
@@ -497,6 +504,8 @@ enum cmd_obj {
CMD_OBJ_FLOWTABLE,
CMD_OBJ_FLOWTABLES,
CMD_OBJ_CT_TIMEOUT,
+ CMD_OBJ_SECMARK,
+ CMD_OBJ_SECMARKS,
};
struct markup {