diff options
| author | Christian Göttsche <cgzones@googlemail.com> | 2018-10-15 14:18:36 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-15 14:31:18 +0200 |
| commit | 3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea (patch) | |
| tree | 20595642927c6c8b0ca0a684b1a350bbefd124f2 /src/parser_bison.y | |
| parent | 27d8946db90b79762a36e66647bb8d8fc4c17ce9 (diff) | |
src: add support for setting secmark
Add support for new nft object secmark holding security context strings.
The following should demonstrate its usage (based on SELinux context):
# define a tag containing a context string
nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
nft list secmarks
# set the secmark
nft add rule inet filter input tcp dport 22 meta secmark set sshtag
# map usage
nft add map inet filter secmapping { type inet_service : secmark \; }
nft add element inet filter secmapping { 22 : sshtag }
nft list maps
nft list map inet filter secmapping
nft add rule inet filter input meta secmark set tcp dport map @secmapping
[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
| -rw-r--r-- | src/parser_bison.y | 104 |
1 files changed, 100 insertions, 4 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index c9189e9c..947a3cde 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -149,6 +149,7 @@ int nft_lex(void *, void *, void *); struct flowtable *flowtable; struct counter *counter; struct quota *quota; + struct secmark *secmark; struct ct *ct; struct limit *limit; const struct datatype *datatype; @@ -458,6 +459,9 @@ int nft_lex(void *, void *, void *); %token QUOTA "quota" %token USED "used" +%token SECMARK "secmark" +%token SECMARKS "secmarks" + %token NANOSECOND "nanosecond" %token MICROSECOND "microsecond" %token MILLISECOND "millisecond" @@ -567,7 +571,7 @@ int nft_lex(void *, void *, void *); %type <flowtable> flowtable_block_alloc flowtable_block %destructor { flowtable_free($$); } flowtable_block_alloc -%type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block limit_block +%type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block limit_block secmark_block %destructor { obj_free($$); } obj_block_alloc %type <list> stmt_list @@ -672,8 +676,8 @@ int nft_lex(void *, void *, void *); %type <expr> and_rhs_expr exclusive_or_rhs_expr inclusive_or_rhs_expr %destructor { expr_free($$); } and_rhs_expr exclusive_or_rhs_expr inclusive_or_rhs_expr -%type <obj> counter_obj quota_obj ct_obj_alloc limit_obj -%destructor { obj_free($$); } counter_obj quota_obj ct_obj_alloc limit_obj +%type <obj> counter_obj quota_obj ct_obj_alloc limit_obj secmark_obj +%destructor { obj_free($$); } counter_obj quota_obj ct_obj_alloc limit_obj secmark_obj %type <expr> relational_expr %destructor { expr_free($$); } relational_expr @@ -752,6 +756,8 @@ int nft_lex(void *, void *, void *); %destructor { xfree($$); } quota_config %type <limit> limit_config %destructor { xfree($$); } limit_config +%type <secmark> secmark_config +%destructor { xfree($$); } secmark_config %type <expr> tcp_hdr_expr %destructor { expr_free($$); } tcp_hdr_expr @@ -990,6 +996,10 @@ add_cmd : TABLE table_spec { $$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3); } + | SECMARK obj_spec secmark_obj + { + $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SECMARK, &$2, &@$, $3); + } ; replace_cmd : RULE ruleid_spec rule @@ -1075,6 +1085,10 @@ create_cmd : TABLE table_spec { $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_LIMIT, &$2, &@$, $3); } + | SECMARK obj_spec secmark_obj + { + $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SECMARK, &$2, &@$, $3); + } ; insert_cmd : RULE rule_position rule @@ -1151,6 +1165,14 @@ delete_cmd : TABLE table_spec { $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_LIMIT, &$2, &@$, NULL); } + | SECMARK obj_spec + { + $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SECMARK, &$2, &@$, NULL); + } + | SECMARK objid_spec + { + $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SECMARK, &$2, &@$, NULL); + } ; get_cmd : ELEMENT set_spec set_block_expr @@ -1223,6 +1245,18 @@ list_cmd : TABLE table_spec { $$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMIT, &$2, &@$, NULL); } + | SECMARKS ruleset_spec + { + $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARKS, &$2, &@$, NULL); + } + | SECMARKS TABLE table_spec + { + $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARKS, &$3, &@$, NULL); + } + | SECMARK obj_spec + { + $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARK, &$2, &@$, NULL); + } | RULESET ruleset_spec { $$ = cmd_alloc(CMD_LIST, CMD_OBJ_RULESET, &$2, &@$, NULL); @@ -1518,6 +1552,17 @@ table_block : /* empty */ { $$ = $<table>-1; } list_add_tail(&$4->list, &$1->objs); $$ = $1; } + | table_block SECMARK obj_identifier + obj_block_alloc '{' secmark_block '}' + stmt_separator + { + $4->location = @3; + $4->type = NFT_OBJECT_SECMARK; + handle_merge(&$4->handle, &$3); + handle_free(&$3); + list_add_tail(&$4->list, &$1->objs); + $$ = $1; + } ; chain_block_alloc : /* empty */ @@ -1650,6 +1695,15 @@ map_block : /* empty */ { $$ = $<set>-1; } $1->flags |= NFT_SET_OBJECT; $$ = $1; } + | map_block TYPE + data_type_expr COLON SECMARK + stmt_separator + { + $1->key = $3; + $1->objtype = NFT_OBJECT_SECMARK; + $1->flags |= NFT_SET_OBJECT; + $$ = $1; + } | map_block FLAGS set_flag_list stmt_separator { $1->flags |= $3; @@ -1821,6 +1875,16 @@ limit_block : /* empty */ { $$ = $<obj>-1; } } ; +secmark_block : /* empty */ { $$ = $<obj>-1; } + | secmark_block common_block + | secmark_block stmt_separator + | secmark_block secmark_config + { + $1->secmark = *$2; + $$ = $1; + } + ; + type_identifier : STRING { $$ = $1; } | MARK { $$ = xstrdup("mark"); } | DSCP { $$ = xstrdup("dscp"); } @@ -3336,6 +3400,28 @@ quota_obj : quota_config } ; +secmark_config : string + { + int ret; + struct secmark *secmark; + secmark = xzalloc(sizeof(*secmark)); + ret = snprintf(secmark->ctx, sizeof(secmark->ctx), "%s", $1); + if (ret <= 0 || ret >= (int)sizeof(secmark->ctx)) { + erec_queue(error(&@1, "invalid context '%s', max length is %u\n", $1, (int)sizeof(secmark->ctx)), state->msgs); + YYERROR; + } + $$ = secmark; + } + ; + +secmark_obj : secmark_config + { + $$ = obj_alloc(&@$); + $$->type = NFT_OBJECT_SECMARK; + $$->secmark = *$1; + } + ; + ct_obj_type : HELPER { $$ = NFT_OBJECT_CT_HELPER; } | TIMEOUT { $$ = NFT_OBJECT_CT_TIMEOUT; } ; @@ -3725,6 +3811,7 @@ meta_key_qualified : LENGTH { $$ = NFT_META_LEN; } | PROTOCOL { $$ = NFT_META_PROTOCOL; } | PRIORITY { $$ = NFT_META_PRIORITY; } | RANDOM { $$ = NFT_META_PRANDOM; } + | SECMARK { $$ = NFT_META_SECMARK; } ; meta_key_unqualified : MARK { $$ = NFT_META_MARK; } @@ -3752,7 +3839,16 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; } meta_stmt : META meta_key SET stmt_expr { - $$ = meta_stmt_alloc(&@$, $2, $4); + switch ($2) { + case NFT_META_SECMARK: + $$ = objref_stmt_alloc(&@$); + $$->objref.type = NFT_OBJECT_SECMARK; + $$->objref.expr = $4; + break; + default: + $$ = meta_stmt_alloc(&@$, $2, $4); + break; + } } | meta_key_unqualified SET stmt_expr { |