diff options
| author | Christian Göttsche <cgzones@googlemail.com> | 2018-10-15 14:18:36 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-15 14:31:18 +0200 |
| commit | 3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea (patch) | |
| tree | 20595642927c6c8b0ca0a684b1a350bbefd124f2 /include | |
| parent | 27d8946db90b79762a36e66647bb8d8fc4c17ce9 (diff) | |
src: add support for setting secmark
Add support for new nft object secmark holding security context strings.
The following should demonstrate its usage (based on SELinux context):
# define a tag containing a context string
nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
nft list secmarks
# set the secmark
nft add rule inet filter input tcp dport 22 meta secmark set sshtag
# map usage
nft add map inet filter secmapping { type inet_service : secmark \; }
nft add element inet filter secmapping { 22 : sshtag }
nft list maps
nft list map inet filter secmapping
nft add rule inet filter input meta secmark set tcp dport map @secmapping
[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 18 | ||||
| -rw-r--r-- | include/rule.h | 9 |
2 files changed, 26 insertions, 1 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 169c2abc..4e285988 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1168,6 +1168,21 @@ enum nft_quota_attributes { #define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) /** + * enum nft_secmark_attributes - nf_tables secmark expression netlink attributes + * + * @NFTA_SECMARK_CTX: security context (NLA_STRING) + */ +enum nft_secmark_attributes { + NFTA_SECMARK_UNSPEC, + NFTA_SECMARK_CTX, + __NFTA_SECMARK_MAX, +}; +#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1) + +/* Max security context length */ +#define NFT_SECMARK_CTX_MAXLEN 256 + +/** * enum nft_reject_types - nf_tables reject expression reject types * * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable @@ -1422,7 +1437,8 @@ enum nft_ct_timeout_attributes { #define NFT_OBJECT_CONNLIMIT 5 #define NFT_OBJECT_TUNNEL 6 #define NFT_OBJECT_CT_TIMEOUT 7 -#define __NFT_OBJECT_MAX 8 +#define NFT_OBJECT_SECMARK 8 +#define __NFT_OBJECT_MAX 9 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/include/rule.h b/include/rule.h index 88478aa6..9e029899 100644 --- a/include/rule.h +++ b/include/rule.h @@ -349,6 +349,10 @@ struct limit { uint32_t flags; }; +struct secmark { + char ctx[NFT_SECMARK_CTX_MAXLEN]; +}; + /** * struct obj - nftables stateful object statement * @@ -370,6 +374,7 @@ struct obj { struct ct_helper ct_helper; struct limit limit; struct ct_timeout ct_timeout; + struct secmark secmark; }; }; @@ -468,6 +473,8 @@ enum cmd_ops { * @CMD_OBJ_LIMIT: limit * @CMD_OBJ_LIMITS: multiple limits * @CMD_OBJ_FLOWTABLES: flow tables + * @CMD_OBJ_SECMARK: secmark + * @CMD_OBJ_SECMARKS: multiple secmarks */ enum cmd_obj { CMD_OBJ_INVALID, @@ -497,6 +504,8 @@ enum cmd_obj { CMD_OBJ_FLOWTABLE, CMD_OBJ_FLOWTABLES, CMD_OBJ_CT_TIMEOUT, + CMD_OBJ_SECMARK, + CMD_OBJ_SECMARKS, }; struct markup { |