From 3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 15 Oct 2018 14:18:36 +0200
Subject: src: add support for setting secmark
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add support for new nft object secmark holding security context strings.

The following should demonstrate its usage (based on SELinux context):

    # define a tag containing a context string
    nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
    nft list secmarks

    # set the secmark
    nft add rule inet filter input tcp dport 22 meta secmark set sshtag

    # map usage
    nft add map inet filter secmapping { type inet_service : secmark \; }
    nft add element inet filter secmapping { 22 : sshtag }
    nft list maps
    nft list map inet filter secmapping
    nft add rule inet filter input meta secmark set tcp dport map @secmapping

[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter/nf_tables.h | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'include/linux/netfilter')

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 169c2abc..4e285988 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1167,6 +1167,21 @@ enum nft_quota_attributes {
 };
 #define NFTA_QUOTA_MAX		(__NFTA_QUOTA_MAX - 1)
 
+/**
+ * enum nft_secmark_attributes - nf_tables secmark expression netlink attributes
+ *
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING)
+ */
+enum nft_secmark_attributes {
+	NFTA_SECMARK_UNSPEC,
+	NFTA_SECMARK_CTX,
+	__NFTA_SECMARK_MAX,
+};
+#define NFTA_SECMARK_MAX	(__NFTA_SECMARK_MAX - 1)
+
+/* Max security context length */
+#define NFT_SECMARK_CTX_MAXLEN		256
+
 /**
  * enum nft_reject_types - nf_tables reject expression reject types
  *
@@ -1422,7 +1437,8 @@ enum nft_ct_timeout_attributes {
 #define NFT_OBJECT_CONNLIMIT	5
 #define NFT_OBJECT_TUNNEL	6
 #define NFT_OBJECT_CT_TIMEOUT	7
-#define __NFT_OBJECT_MAX	8
+#define NFT_OBJECT_SECMARK	8
+#define __NFT_OBJECT_MAX	9
 #define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)
 
 /**
-- 
cgit v1.2.3