diff options
author | Christian Göttsche <cgzones@googlemail.com> | 2018-10-15 14:18:36 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-15 14:31:18 +0200 |
commit | 3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea (patch) | |
tree | 20595642927c6c8b0ca0a684b1a350bbefd124f2 /src/evaluate.c | |
parent | 27d8946db90b79762a36e66647bb8d8fc4c17ce9 (diff) |
src: add support for setting secmark
Add support for new nft object secmark holding security context strings.
The following should demonstrate its usage (based on SELinux context):
# define a tag containing a context string
nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
nft list secmarks
# set the secmark
nft add rule inet filter input tcp dport 22 meta secmark set sshtag
# map usage
nft add map inet filter secmapping { type inet_service : secmark \; }
nft add element inet filter secmapping { 22 : sshtag }
nft list maps
nft list map inet filter secmapping
nft add rule inet filter input meta secmark set tcp dport map @secmapping
[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index ff36f576..db49a18d 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3344,6 +3344,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd) case CMD_OBJ_CT_HELPER: case CMD_OBJ_LIMIT: case CMD_OBJ_CT_TIMEOUT: + case CMD_OBJ_SECMARK: return obj_evaluate(ctx, cmd->object); default: BUG("invalid command object type %u\n", cmd->obj); @@ -3372,6 +3373,7 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd) case CMD_OBJ_CT_HELPER: case CMD_OBJ_CT_TIMEOUT: case CMD_OBJ_LIMIT: + case CMD_OBJ_SECMARK: return 0; default: BUG("invalid command object type %u\n", cmd->obj); @@ -3507,12 +3509,15 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_CT_TIMEOUT); case CMD_OBJ_LIMIT: return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_LIMIT); + case CMD_OBJ_SECMARK: + return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_SECMARK); case CMD_OBJ_COUNTERS: case CMD_OBJ_QUOTAS: case CMD_OBJ_CT_HELPERS: case CMD_OBJ_LIMITS: case CMD_OBJ_SETS: case CMD_OBJ_FLOWTABLES: + case CMD_OBJ_SECMARKS: if (cmd->handle.table.name == NULL) return 0; if (table_lookup(&cmd->handle, ctx->cache) == NULL) |