diff options
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/libip6t_SECMARK.c | 125 | ||||
-rw-r--r-- | extensions/libip6t_SECMARK.man | 7 | ||||
-rw-r--r-- | extensions/libipt_CONNSECMARK.c | 126 | ||||
-rw-r--r-- | extensions/libipt_CONNSECMARK.man | 15 | ||||
-rw-r--r-- | extensions/libipt_SECMARK.c | 125 | ||||
-rw-r--r-- | extensions/libipt_SECMARK.man | 7 |
6 files changed, 405 insertions, 0 deletions
diff --git a/extensions/libip6t_SECMARK.c b/extensions/libip6t_SECMARK.c new file mode 100644 index 00000000..8fbae050 --- /dev/null +++ b/extensions/libip6t_SECMARK.c @@ -0,0 +1,125 @@ +/* + * Shared library add-on to iptables to add SECMARK target support. + * + * Based on the MARK target. + * + * IPv6 version. + * + * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> + */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <ip6tables.h> +#include <linux/netfilter/xt_SECMARK.h> + +#define PFX "SECMARK target: " + +static void help(void) +{ + printf( +"SECMARK target v%s options:\n" +" --selctx value Set the SELinux security context\n" +"\n", +IPTABLES_VERSION); +} + +static struct option opts[] = { + { "selctx", 1, 0, '1' }, + { 0 } +}; + +/* Initialize the target. */ +static void init(struct ip6t_entry_target *t, unsigned int *nfcache) +{ } + +/* + * Function which parses command options; returns true if it + * ate an option. + */ +static int parse(int c, char **argv, int invert, unsigned int *flags, + const struct ip6t_entry *entry, struct ip6t_entry_target **target) +{ + struct xt_secmark_target_info *info = + (struct xt_secmark_target_info*)(*target)->data; + + switch (c) { + case '1': + if (*flags & SECMARK_MODE_SEL) + exit_error(PARAMETER_PROBLEM, PFX + "Can't specify --selctx twice"); + info->mode = SECMARK_MODE_SEL; + + if (strlen(optarg) > SECMARK_SELCTX_MAX-1) + exit_error(PARAMETER_PROBLEM, PFX + "Maximum length %u exceeded by --selctx" + " parameter (%zu)", + SECMARK_SELCTX_MAX-1, strlen(optarg)); + + strcpy(info->u.sel.selctx, optarg); + *flags |= SECMARK_MODE_SEL; + break; + default: + return 0; + } + + return 1; +} + +static void final_check(unsigned int flags) +{ + if (!flags) + exit_error(PARAMETER_PROBLEM, PFX "parameter required"); +} + +static void print_secmark(struct xt_secmark_target_info *info) +{ + switch (info->mode) { + case SECMARK_MODE_SEL: + printf("selctx %s ", info->u.sel.selctx);\ + break; + + default: + exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); + } +} + +static void print(const struct ip6t_ip6 *ip, + const struct ip6t_entry_target *target, int numeric) +{ + struct xt_secmark_target_info *info = + (struct xt_secmark_target_info*)(target)->data; + + printf("SECMARK "); + print_secmark(info); +} + +/* Saves the target info in parsable form to stdout. */ +static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) +{ + struct xt_secmark_target_info *info = + (struct xt_secmark_target_info*)target->data; + + printf("--"); + print_secmark(info); +} + +static struct ip6tables_target secmark = { + .name = "SECMARK", + .version = IPTABLES_VERSION, + .size = IP6T_ALIGN(sizeof(struct xt_secmark_target_info)), + .userspacesize = IP6T_ALIGN(sizeof(struct xt_secmark_target_info)), + .help = &help, + .init = &init, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts +}; + +void _init(void) +{ + register_target6(&secmark); +} diff --git a/extensions/libip6t_SECMARK.man b/extensions/libip6t_SECMARK.man new file mode 100644 index 00000000..f892de96 --- /dev/null +++ b/extensions/libip6t_SECMARK.man @@ -0,0 +1,7 @@ +This is used to set the security mark value associated with the +packet for use by security subsystems such as SELinux. It is only +valid in the +.B mangle +table. +.TP +.BI "--selctx " "security_context" diff --git a/extensions/libipt_CONNSECMARK.c b/extensions/libipt_CONNSECMARK.c new file mode 100644 index 00000000..237a41f3 --- /dev/null +++ b/extensions/libipt_CONNSECMARK.c @@ -0,0 +1,126 @@ +/* + * Shared library add-on to iptables to add CONNSECMARK target support. + * + * Based on the MARK and CONNMARK targets. + * + * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> + */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <iptables.h> +#include <linux/netfilter/xt_CONNSECMARK.h> + +#define PFX "CONNSECMARK target: " + +static void help(void) +{ + printf( +"CONNSECMARK target v%s options:\n" +" --save Copy security mark from packet to conntrack\n" +" --restore Copy security mark from connection to packet\n" +"\n", +IPTABLES_VERSION); +} + +static struct option opts[] = { + { "save", 0, 0, '1' }, + { "restore", 0, 0, '2' }, + { 0 } +}; + +static int parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, struct ipt_entry_target **target) +{ + struct xt_connsecmark_target_info *info = + (struct xt_connsecmark_target_info*)(*target)->data; + + switch (c) { + case '1': + if (*flags & CONNSECMARK_SAVE) + exit_error(PARAMETER_PROBLEM, PFX + "Can't specify --save twice"); + info->mode = CONNSECMARK_SAVE; + *flags |= CONNSECMARK_SAVE; + break; + + case '2': + if (*flags & CONNSECMARK_RESTORE) + exit_error(PARAMETER_PROBLEM, PFX + "Can't specify --restore twice"); + info->mode = CONNSECMARK_RESTORE; + *flags |= CONNSECMARK_RESTORE; + break; + + default: + return 0; + } + + return 1; +} + +static void final_check(unsigned int flags) +{ + if (!flags) + exit_error(PARAMETER_PROBLEM, PFX "parameter required"); + + if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE)) + exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save " + "or --restore is allowed"); +} + +static void print_connsecmark(struct xt_connsecmark_target_info *info) +{ + switch (info->mode) { + case CONNSECMARK_SAVE: + printf("save "); + break; + + case CONNSECMARK_RESTORE: + printf("restore "); + break; + + default: + exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); + } +} + +static void print(const struct ipt_ip *ip, + const struct ipt_entry_target *target, int numeric) +{ + struct xt_connsecmark_target_info *info = + (struct xt_connsecmark_target_info*)(target)->data; + + printf("CONNSECMARK "); + print_connsecmark(info); +} + +static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) +{ + struct xt_connsecmark_target_info *info = + (struct xt_connsecmark_target_info*)target->data; + + printf("--"); + print_connsecmark(info); +} + +static struct iptables_target connsecmark = { + .next = NULL, + .name = "CONNSECMARK", + .version = IPTABLES_VERSION, + .revision = 0, + .size = IPT_ALIGN(sizeof(struct xt_connsecmark_target_info)), + .userspacesize = IPT_ALIGN(sizeof(struct xt_connsecmark_target_info)), + .parse = &parse, + .help = &help, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts +}; + +void _init(void) +{ + register_target(&connsecmark); +} diff --git a/extensions/libipt_CONNSECMARK.man b/extensions/libipt_CONNSECMARK.man new file mode 100644 index 00000000..b94353a3 --- /dev/null +++ b/extensions/libipt_CONNSECMARK.man @@ -0,0 +1,15 @@ +This module copies security markings from packets to connections +(if unlabeled), and from connections back to packets (also only +if unlabeled). Typically used in conjunction with SECMARK, it is +only valid in the +.B mangle +table. +.TP +.B --save +If the packet has a security marking, copy it to the connection +if the connection is not marked. +.TP +.B --restore +If the packet does not have a security marking, and the connection +does, copy the security marking from the connection to the packet. + diff --git a/extensions/libipt_SECMARK.c b/extensions/libipt_SECMARK.c new file mode 100644 index 00000000..89a2b2ad --- /dev/null +++ b/extensions/libipt_SECMARK.c @@ -0,0 +1,125 @@ +/* + * Shared library add-on to iptables to add SECMARK target support. + * + * Based on the MARK target. + * + * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> + */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <iptables.h> +#include <linux/netfilter/xt_SECMARK.h> + +#define PFX "SECMARK target: " + +static void help(void) +{ + printf( +"SECMARK target v%s options:\n" +" --selctx value Set the SELinux security context\n" +"\n", +IPTABLES_VERSION); +} + +static struct option opts[] = { + { "selctx", 1, 0, '1' }, + { 0 } +}; + +/* Initialize the target. */ +static void init(struct ipt_entry_target *t, unsigned int *nfcache) +{ } + +/* + * Function which parses command options; returns true if it + * ate an option. + */ +static int parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, struct ipt_entry_target **target) +{ + struct xt_secmark_target_info *info = + (struct xt_secmark_target_info*)(*target)->data; + + switch (c) { + case '1': + if (*flags & SECMARK_MODE_SEL) + exit_error(PARAMETER_PROBLEM, PFX + "Can't specify --selctx twice"); + info->mode = SECMARK_MODE_SEL; + + if (strlen(optarg) > SECMARK_SELCTX_MAX-1) + exit_error(PARAMETER_PROBLEM, PFX + "Maximum length %u exceeded by --selctx" + " parameter (%zu)", + SECMARK_SELCTX_MAX-1, strlen(optarg)); + + strcpy(info->u.sel.selctx, optarg); + *flags |= SECMARK_MODE_SEL; + break; + default: + return 0; + } + + return 1; +} + +static void final_check(unsigned int flags) +{ + if (!flags) + exit_error(PARAMETER_PROBLEM, PFX "parameter required"); +} + +static void print_secmark(struct xt_secmark_target_info *info) +{ + switch (info->mode) { + case SECMARK_MODE_SEL: + printf("selctx %s ", info->u.sel.selctx);\ + break; + + default: + exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); + } +} + +static void print(const struct ipt_ip *ip, + const struct ipt_entry_target *target, int numeric) +{ + struct xt_secmark_target_info *info = + (struct xt_secmark_target_info*)(target)->data; + + printf("SECMARK "); + print_secmark(info); +} + +/* Saves the target info in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) +{ + struct xt_secmark_target_info *info = + (struct xt_secmark_target_info*)target->data; + + printf("--"); + print_secmark(info); +} + +static struct iptables_target secmark = { + .next = NULL, + .name = "SECMARK", + .version = IPTABLES_VERSION, + .revision = 0, + .size = IPT_ALIGN(sizeof(struct xt_secmark_target_info)), + .userspacesize = IPT_ALIGN(sizeof(struct xt_secmark_target_info)), + .help = &help, + .init = &init, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts +}; + +void _init(void) +{ + register_target(&secmark); +} diff --git a/extensions/libipt_SECMARK.man b/extensions/libipt_SECMARK.man new file mode 100644 index 00000000..f892de96 --- /dev/null +++ b/extensions/libipt_SECMARK.man @@ -0,0 +1,7 @@ +This is used to set the security mark value associated with the +packet for use by security subsystems such as SELinux. It is only +valid in the +.B mangle +table. +.TP +.BI "--selctx " "security_context" |