From 3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 15 Oct 2018 14:18:36 +0200
Subject: src: add support for setting secmark
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add support for new nft object secmark holding security context strings.

The following should demonstrate its usage (based on SELinux context):

    # define a tag containing a context string
    nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
    nft list secmarks

    # set the secmark
    nft add rule inet filter input tcp dport 22 meta secmark set sshtag

    # map usage
    nft add map inet filter secmapping { type inet_service : secmark \; }
    nft add element inet filter secmapping { 22 : sshtag }
    nft list maps
    nft list map inet filter secmapping
    nft add rule inet filter input meta secmark set tcp dport map @secmapping

[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_json.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

(limited to 'src/parser_json.c')

diff --git a/src/parser_json.c b/src/parser_json.c
index e9b0ef96..7047c00d 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -2472,6 +2472,7 @@ static int string_to_nft_object(const char *str)
 		[NFT_OBJECT_QUOTA] = "quota",
 		[NFT_OBJECT_CT_HELPER] = "ct helper",
 		[NFT_OBJECT_LIMIT] = "limit",
+		[NFT_OBJECT_SECMARK] = "secmark",
 	};
 	unsigned int i;
 
@@ -2826,6 +2827,19 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx,
 		if (obj->quota.flags)
 			obj->quota.flags = NFT_QUOTA_F_INV;
 		break;
+	case CMD_OBJ_SECMARK:
+		obj->type = NFT_OBJECT_SECMARK;
+		if (!json_unpack(root, "{s:s}", "context", tmp)) {
+			int ret;
+			ret = snprintf(obj->secmark.ctx, sizeof(obj->secmark.ctx), "%s", tmp);
+			if (ret < 0 || ret >= (int)sizeof(obj->secmark.ctx)) {
+				json_error(ctx, "Invalid secmark context '%s', max length is %zu.",
+					   tmp, sizeof(obj->secmark.ctx));
+				obj_free(obj);
+				return NULL;
+			}
+		}
+		break;
 	case NFT_OBJECT_CT_HELPER:
 		cmd_obj = CMD_OBJ_CT_HELPER;
 		obj->type = NFT_OBJECT_CT_HELPER;
@@ -2939,7 +2953,8 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx,
 		{ "counter", CMD_OBJ_COUNTER, json_parse_cmd_add_object },
 		{ "quota", CMD_OBJ_QUOTA, json_parse_cmd_add_object },
 		{ "ct helper", NFT_OBJECT_CT_HELPER, json_parse_cmd_add_object },
-		{ "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object }
+		{ "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object },
+		{ "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object }
 	};
 	unsigned int i;
 	json_t *tmp;
@@ -3103,6 +3118,8 @@ static struct cmd *json_parse_cmd_list(struct json_ctx *ctx,
 		{ "meter", CMD_OBJ_METER, json_parse_cmd_add_set },
 		{ "meters", CMD_OBJ_METERS, json_parse_cmd_list_multiple },
 		{ "flowtables", CMD_OBJ_FLOWTABLES, json_parse_cmd_list_multiple },
+		{ "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object },
+		{ "secmarks", CMD_OBJ_SECMARKS, json_parse_cmd_list_multiple },
 	};
 	unsigned int i;
 	json_t *tmp;
-- 
cgit v1.2.3