summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/libnetfilter_queue/libnetfilter_queue.h2
-rw-r--r--include/libnetfilter_queue/linux_nfnetlink_queue.h4
-rw-r--r--include/linux/netfilter/nfnetlink_queue.h4
-rw-r--r--src/libnetfilter_queue.c23
-rw-r--r--src/nlmsg.c1
-rw-r--r--utils/nfqnl_test.c12
6 files changed, 43 insertions, 3 deletions
diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h
index bde7209..2e38411 100644
--- a/include/libnetfilter_queue/libnetfilter_queue.h
+++ b/include/libnetfilter_queue/libnetfilter_queue.h
@@ -105,6 +105,7 @@ extern uint32_t nfq_get_outdev(struct nfq_data *nfad);
extern uint32_t nfq_get_physoutdev(struct nfq_data *nfad);
extern int nfq_get_uid(struct nfq_data *nfad, uint32_t *uid);
extern int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid);
+extern int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata);
extern int nfq_get_indev_name(struct nlif_handle *nlif_handle,
struct nfq_data *nfad, char *name);
@@ -129,6 +130,7 @@ enum {
NFQ_XML_TIME = (1 << 5),
NFQ_XML_UID = (1 << 6),
NFQ_XML_GID = (1 << 7),
+ NFQ_XML_SECCTX = (1 << 8),
NFQ_XML_ALL = ~0U,
};
diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h
index 5b6ae95..1975dfa 100644
--- a/include/libnetfilter_queue/linux_nfnetlink_queue.h
+++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h
@@ -53,6 +53,7 @@ enum nfqnl_attr_type {
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX, /* security context string */
__NFQA_MAX
};
@@ -106,7 +107,8 @@ enum nfqnl_attr_config {
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index 22f5d45..030672d 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -49,6 +49,7 @@ enum nfqnl_attr_type {
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX,
__NFQA_MAX
};
@@ -102,7 +103,8 @@ enum nfqnl_attr_config {
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index c9ed865..84184ee 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -1218,6 +1218,29 @@ int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid)
}
EXPORT_SYMBOL(nfq_get_gid);
+
+/**
+ * nfq_get_secctx - get the security context for this packet
+ * \param nfad Netlink packet data handle passed to callback function
+ * \param secdata data to write the security context to
+ *
+ * \return -1 on error, otherwise > 0
+ */
+int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata)
+{
+ if (!nfnl_attr_present(nfad->data, NFQA_SECCTX))
+ return -1;
+
+ *secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data,
+ NFQA_SECCTX, char);
+
+ if (*secdata)
+ return NFA_PAYLOAD(nfad->data[NFQA_SECCTX-1]);
+
+ return 0;
+}
+EXPORT_SYMBOL(nfq_get_secctx);
+
/**
* nfq_get_payload - get payload
* \param nfad Netlink packet data handle passed to callback function
diff --git a/src/nlmsg.c b/src/nlmsg.c
index aebdd5e..cabd8be 100644
--- a/src/nlmsg.c
+++ b/src/nlmsg.c
@@ -137,6 +137,7 @@ static int nfq_pkt_parse_attr_cb(const struct nlattr *attr, void *data)
case NFQA_IFINDEX_PHYSOUTDEV:
case NFQA_CAP_LEN:
case NFQA_SKB_INFO:
+ case NFQA_SECCTX:
case NFQA_UID:
case NFQA_GID:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c
index b760cf0..5e76ffe 100644
--- a/utils/nfqnl_test.c
+++ b/utils/nfqnl_test.c
@@ -17,7 +17,7 @@ static uint32_t print_pkt (struct nfq_data *tb)
struct nfqnl_msg_packet_hw *hwph;
uint32_t mark, ifi, uid, gid;
int ret;
- unsigned char *data;
+ unsigned char *data, *secdata;
ph = nfq_get_msg_packet_hdr(tb);
if (ph) {
@@ -61,6 +61,10 @@ static uint32_t print_pkt (struct nfq_data *tb)
if (nfq_get_gid(tb, &gid))
printf("gid=%u ", gid);
+ ret = nfq_get_secctx(tb, &secdata);
+ if (ret > 0)
+ printf("secctx=\"%.*s\" ", ret, secdata);
+
ret = nfq_get_payload(tb, &data);
if (ret >= 0)
printf("payload_len=%d ", ret);
@@ -134,6 +138,12 @@ int main(int argc, char **argv)
"retrieve process UID/GID.\n");
}
+ printf("setting flags to request security context\n");
+ if (nfq_set_queue_flags(qh, NFQA_CFG_F_SECCTX, NFQA_CFG_F_SECCTX)) {
+ fprintf(stderr, "This kernel version does not allow to "
+ "retrieve security context.\n");
+ }
+
printf("Waiting for packets...\n");
fd = nfq_fd(h);