diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-12-18 20:18:49 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2011-01-16 22:32:40 +0100 |
commit | fdda1474cc8654430f245b7f01c30e8ff171fa60 (patch) | |
tree | e9d4a4f3d5a45677c49079aefa13e70541db7f8d /src | |
parent | f1456fa807f20bf8dd73ab3ae3312c2e8187f89f (diff) |
src: add support for CTA_SECCTX
This patch adds support for the new attribute CTA_SECCTX that
supersedes CTA_SECMARK.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/conntrack/api.c | 3 | ||||
-rw-r--r-- | src/conntrack/compare.c | 10 | ||||
-rw-r--r-- | src/conntrack/copy.c | 9 | ||||
-rw-r--r-- | src/conntrack/getter.c | 6 | ||||
-rw-r--r-- | src/conntrack/parse.c | 17 | ||||
-rw-r--r-- | src/conntrack/setter.c | 1 | ||||
-rw-r--r-- | src/conntrack/snprintf_default.c | 11 | ||||
-rw-r--r-- | src/conntrack/snprintf_xml.c | 6 |
8 files changed, 63 insertions, 0 deletions
diff --git a/src/conntrack/api.c b/src/conntrack/api.c index 7a5767b..8e5b2fe 100644 --- a/src/conntrack/api.c +++ b/src/conntrack/api.c @@ -90,6 +90,8 @@ void nfct_destroy(struct nf_conntrack *ct) { assert(ct != NULL); free(ct); + if (ct->secctx) + free(ct->secctx); ct = NULL; /* bugtrap */ } @@ -353,6 +355,7 @@ void nfct_callback_unregister2(struct nfct_handle *h) * - ATTR_USE * - ATTR_ID * - ATTR_*_COUNTER_* + * - ATTR_SECCTX * The call of this function for such attributes do nothing. */ void nfct_set_attr(struct nf_conntrack *ct, diff --git a/src/conntrack/compare.c b/src/conntrack/compare.c index 134cefd..1cdad1c 100644 --- a/src/conntrack/compare.c +++ b/src/conntrack/compare.c @@ -368,6 +368,14 @@ cmp_zone(const struct nf_conntrack *ct1, return (ct1->zone == ct2->zone); } +static int +cmp_secctx(const struct nf_conntrack *ct1, + const struct nf_conntrack *ct2, + unsigned int flags) +{ + return strcmp(ct1->secctx, ct2->secctx) == 0; +} + static int cmp_meta(const struct nf_conntrack *ct1, const struct nf_conntrack *ct2, unsigned int flags) @@ -388,6 +396,8 @@ static int cmp_meta(const struct nf_conntrack *ct1, return 0; if (!__cmp(ATTR_ZONE, ct1, ct2, flags, cmp_zone)) return 0; + if (!__cmp(ATTR_SECCTX, ct1, ct2, flags, cmp_secctx)) + return 0; return 1; } diff --git a/src/conntrack/copy.c b/src/conntrack/copy.c index 8d8a6b7..9148640 100644 --- a/src/conntrack/copy.c +++ b/src/conntrack/copy.c @@ -415,6 +415,14 @@ static void copy_attr_zone(struct nf_conntrack *dest, dest->zone = orig->zone; } +static void copy_attr_secctx(struct nf_conntrack *dest, + const struct nf_conntrack *orig) +{ + if (dest->secctx) + free(dest->secctx); + dest->secctx = strdup(orig->secctx); +} + const copy_attr copy_attr_array[ATTR_MAX] = { [ATTR_ORIG_IPV4_SRC] = copy_attr_orig_ipv4_src, [ATTR_ORIG_IPV4_DST] = copy_attr_orig_ipv4_dst, @@ -478,4 +486,5 @@ const copy_attr copy_attr_array[ATTR_MAX] = { [ATTR_TCP_WSCALE_ORIG] = copy_attr_tcp_wscale_orig, [ATTR_TCP_WSCALE_REPL] = copy_attr_tcp_wscale_repl, [ATTR_ZONE] = copy_attr_zone, + [ATTR_SECCTX] = copy_attr_secctx, }; diff --git a/src/conntrack/getter.c b/src/conntrack/getter.c index 056fe8a..8a093c6 100644 --- a/src/conntrack/getter.c +++ b/src/conntrack/getter.c @@ -317,6 +317,11 @@ static const void *get_attr_zone(const struct nf_conntrack *ct) return &ct->zone; } +static const void *get_attr_secctx(const struct nf_conntrack *ct) +{ + return ct->secctx; +} + const get_attr get_attr_array[ATTR_MAX] = { [ATTR_ORIG_IPV4_SRC] = get_attr_orig_ipv4_src, [ATTR_ORIG_IPV4_DST] = get_attr_orig_ipv4_dst, @@ -380,4 +385,5 @@ const get_attr get_attr_array[ATTR_MAX] = { [ATTR_TCP_WSCALE_ORIG] = get_attr_tcp_wscale_orig, [ATTR_TCP_WSCALE_REPL] = get_attr_tcp_wscale_repl, [ATTR_ZONE] = get_attr_zone, + [ATTR_SECCTX] = get_attr_secctx, }; diff --git a/src/conntrack/parse.c b/src/conntrack/parse.c index 64e6e93..841693e 100644 --- a/src/conntrack/parse.c +++ b/src/conntrack/parse.c @@ -422,6 +422,20 @@ __parse_helper(const struct nfattr *attr, struct nf_conntrack *ct) set_bit(ATTR_HELPER_NAME, ct->set); } +static void +__parse_secctx(const struct nfattr *attr, struct nf_conntrack *ct) +{ + struct nfattr *tb[CTA_SECCTX_MAX]; + + nfnl_parse_nested(tb, CTA_SECCTX_MAX, attr); + if (!tb[CTA_SECCTX_NAME-1]) + return; + + ct->secctx = strdup(NFA_DATA(tb[CTA_SECCTX-1])); + if (ct->secctx) + set_bit(ATTR_SECCTX, ct->set); +} + int __parse_message_type(const struct nlmsghdr *nlh) { u_int16_t type = NFNL_MSG_TYPE(nlh->nlmsg_type); @@ -521,4 +535,7 @@ void __parse_conntrack(const struct nlmsghdr *nlh, ct->zone = ntohs(*(u_int16_t *)NFA_DATA(cda[CTA_ZONE-1])); set_bit(ATTR_ZONE, ct->set); } + + if (cda[CTA_SECCTX-1]) + __parse_secctx(cda[CTA_SECCTX-1], ct); } diff --git a/src/conntrack/setter.c b/src/conntrack/setter.c index 0f907ab..99ac8d7 100644 --- a/src/conntrack/setter.c +++ b/src/conntrack/setter.c @@ -410,4 +410,5 @@ const set_attr set_attr_array[ATTR_MAX] = { [ATTR_TCP_WSCALE_ORIG] = set_attr_tcp_wscale_orig, [ATTR_TCP_WSCALE_REPL] = set_attr_tcp_wscale_repl, [ATTR_ZONE] = set_attr_zone, + [ATTR_SECCTX] = set_attr_do_nothing, }; diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c index 4a61f8a..abb9d9f 100644 --- a/src/conntrack/snprintf_default.c +++ b/src/conntrack/snprintf_default.c @@ -225,6 +225,12 @@ __snprintf_zone(char *buf, unsigned int len, const struct nf_conntrack *ct) return (snprintf(buf, len, "zone=%u ", ct->zone)); } +static int +__snprintf_secctx(char *buf, unsigned int len, const struct nf_conntrack *ct) +{ + return (snprintf(buf, len, "secctx=%s ", ct->secctx)); +} + int __snprintf_conntrack_default(char *buf, unsigned int len, const struct nf_conntrack *ct, @@ -321,6 +327,11 @@ int __snprintf_conntrack_default(char *buf, BUFFER_SIZE(ret, size, len, offset); } + if (test_bit(ATTR_SECCTX, ct->set)) { + ret = __snprintf_secctx(buf+offset, len, ct); + BUFFER_SIZE(ret, size, len, offset); + } + if (test_bit(ATTR_ZONE, ct->set)) { ret = __snprintf_zone(buf+offset, len, ct); BUFFER_SIZE(ret, size, len, offset); diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c index cc588ee..97f6650 100644 --- a/src/conntrack/snprintf_xml.c +++ b/src/conntrack/snprintf_xml.c @@ -345,6 +345,12 @@ int __snprintf_conntrack_xml(char *buf, BUFFER_SIZE(ret, size, len, offset); } + if (test_bit(ATTR_SECCTX, ct->set)) { + ret = snprintf(buf+offset, len, + "<secctx>%s</secctx>", ct->secctx); + BUFFER_SIZE(ret, size, len, offset); + } + if (test_bit(ATTR_ZONE, ct->set)) { ret = snprintf(buf+offset, len, "<zone>%u</zone>", ct->zone); BUFFER_SIZE(ret, size, len, offset); |