From 3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 15 Oct 2018 14:18:36 +0200 Subject: src: add support for setting secmark MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add support for new nft object secmark holding security context strings. The following should demonstrate its usage (based on SELinux context): # define a tag containing a context string nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\" nft list secmarks # set the secmark nft add rule inet filter input tcp dport 22 meta secmark set sshtag # map usage nft add map inet filter secmapping { type inet_service : secmark \; } nft add element inet filter secmapping { 22 : sshtag } nft list maps nft list map inet filter secmapping nft add rule inet filter input meta secmark set tcp dport map @secmapping [ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ] Signed-off-by: Christian Göttsche Signed-off-by: Pablo Neira Ayuso --- src/json.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src/json.c') diff --git a/src/json.c b/src/json.c index 1ab2d431..1cde2706 100644 --- a/src/json.c +++ b/src/json.c @@ -294,6 +294,12 @@ static json_t *obj_print_json(struct output_ctx *octx, const struct obj *obj) json_object_update(root, tmp); json_decref(tmp); break; + case NFT_OBJECT_SECMARK: + tmp = json_pack("{s:s}", + "context", obj->secmark.ctx); + json_object_update(root, tmp); + json_decref(tmp); + break; case NFT_OBJECT_CT_HELPER: tmp = json_pack("{s:s, s:o, s:s}", "type", obj->ct_helper.name, "protocol", @@ -1706,6 +1712,10 @@ int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_LIMITS: root = do_list_obj_json(ctx, cmd, NFT_OBJECT_LIMIT); break; + case CMD_OBJ_SECMARK: + case CMD_OBJ_SECMARKS: + root = do_list_obj_json(ctx, cmd, NFT_OBJECT_SECMARK); + break; case CMD_OBJ_FLOWTABLES: root = do_list_flowtables_json(ctx, cmd); break; -- cgit v1.2.3