diff options
-rw-r--r-- | extensions/libxt_SECMARK.c | 90 | ||||
-rw-r--r-- | extensions/libxt_SECMARK.t | 4 | ||||
-rw-r--r-- | include/linux/netfilter/xt_SECMARK.h | 6 |
3 files changed, 80 insertions, 20 deletions
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c index 6ba86063..24249bd6 100644 --- a/extensions/libxt_SECMARK.c +++ b/extensions/libxt_SECMARK.c @@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = { XTOPT_TABLEEND, }; +static const struct xt_option_entry SECMARK_opts_v1[] = { + {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING, + .flags = XTOPT_MAND | XTOPT_PUT, + XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)}, + XTOPT_TABLEEND, +}; + static void SECMARK_parse(struct xt_option_call *cb) { struct xt_secmark_target_info *info = cb->data; @@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb) info->mode = SECMARK_MODE_SEL; } -static void print_secmark(const struct xt_secmark_target_info *info) +static void SECMARK_parse_v1(struct xt_option_call *cb) +{ + struct xt_secmark_target_info_v1 *info = cb->data; + + xtables_option_parse(cb); + info->mode = SECMARK_MODE_SEL; +} + +static void print_secmark(__u8 mode, const char *secctx) { - switch (info->mode) { + switch (mode) { case SECMARK_MODE_SEL: - printf("selctx %s", info->secctx); + printf("selctx %s", secctx); break; - + default: - xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); + xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode); } } @@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target, (struct xt_secmark_target_info*)(target)->data; printf(" SECMARK "); - print_secmark(info); + print_secmark(info->mode, info->secctx); +} + +static void SECMARK_print_v1(const void *ip, + const struct xt_entry_target *target, int numeric) +{ + const struct xt_secmark_target_info_v1 *info = + (struct xt_secmark_target_info_v1 *)(target)->data; + + printf(" SECMARK "); + print_secmark(info->mode, info->secctx); } static void SECMARK_save(const void *ip, const struct xt_entry_target *target) @@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target) (struct xt_secmark_target_info*)target->data; printf(" --"); - print_secmark(info); + print_secmark(info->mode, info->secctx); } -static struct xtables_target secmark_target = { - .family = NFPROTO_UNSPEC, - .name = "SECMARK", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), - .help = SECMARK_help, - .print = SECMARK_print, - .save = SECMARK_save, - .x6_parse = SECMARK_parse, - .x6_options = SECMARK_opts, +static void SECMARK_save_v1(const void *ip, + const struct xt_entry_target *target) +{ + const struct xt_secmark_target_info_v1 *info = + (struct xt_secmark_target_info_v1 *)target->data; + + printf(" --"); + print_secmark(info->mode, info->secctx); +} + +static struct xtables_target secmark_tg_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "SECMARK", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), + .help = SECMARK_help, + .print = SECMARK_print, + .save = SECMARK_save, + .x6_parse = SECMARK_parse, + .x6_options = SECMARK_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "SECMARK", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)), + .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)), + .help = SECMARK_help, + .print = SECMARK_print_v1, + .save = SECMARK_save_v1, + .x6_parse = SECMARK_parse_v1, + .x6_options = SECMARK_opts_v1, + } }; void _init(void) { - xtables_register_target(&secmark_target); + xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); } diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t new file mode 100644 index 00000000..39d4c093 --- /dev/null +++ b/extensions/libxt_SECMARK.t @@ -0,0 +1,4 @@ +:INPUT,FORWARD,OUTPUT +*security +-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK +-j SECMARK;;FAIL diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h index 989092bd..31760a28 100644 --- a/include/linux/netfilter/xt_SECMARK.h +++ b/include/linux/netfilter/xt_SECMARK.h @@ -19,4 +19,10 @@ struct xt_secmark_target_info { char secctx[SECMARK_SECCTX_MAX]; }; +struct xt_secmark_target_info_v1 { + __u8 mode; + char secctx[SECMARK_SECCTX_MAX]; + __u32 secid; +}; + #endif /*_XT_SECMARK_H_target */ |