From 3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 15 Oct 2018 14:18:36 +0200 Subject: src: add support for setting secmark MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add support for new nft object secmark holding security context strings. The following should demonstrate its usage (based on SELinux context): # define a tag containing a context string nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\" nft list secmarks # set the secmark nft add rule inet filter input tcp dport 22 meta secmark set sshtag # map usage nft add map inet filter secmapping { type inet_service : secmark \; } nft add element inet filter secmapping { 22 : sshtag } nft list maps nft list map inet filter secmapping nft add rule inet filter input meta secmark set tcp dport map @secmapping [ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ] Signed-off-by: Christian Göttsche Signed-off-by: Pablo Neira Ayuso --- src/rule.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'src/rule.c') diff --git a/src/rule.c b/src/rule.c index e1b004c7..8f78a36c 100644 --- a/src/rule.c +++ b/src/rule.c @@ -1326,6 +1326,7 @@ void cmd_free(struct cmd *cmd) case CMD_OBJ_CT_HELPER: case CMD_OBJ_CT_TIMEOUT: case CMD_OBJ_LIMIT: + case CMD_OBJ_SECMARK: obj_free(cmd->object); break; case CMD_OBJ_FLOWTABLE: @@ -1421,6 +1422,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl) case CMD_OBJ_CT_HELPER: case CMD_OBJ_CT_TIMEOUT: case CMD_OBJ_LIMIT: + case CMD_OBJ_SECMARK: return netlink_add_obj(ctx, cmd, flags); case CMD_OBJ_FLOWTABLE: return netlink_add_flowtable(ctx, cmd, flags); @@ -1510,6 +1512,8 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd) NFT_OBJECT_CT_TIMEOUT); case CMD_OBJ_LIMIT: return netlink_delete_obj(ctx, cmd, NFT_OBJECT_LIMIT); + case CMD_OBJ_SECMARK: + return netlink_delete_obj(ctx, cmd, NFT_OBJECT_SECMARK); case CMD_OBJ_FLOWTABLE: return netlink_delete_flowtable(ctx, cmd); default: @@ -1716,6 +1720,13 @@ static void obj_print_data(const struct obj *obj, nft_print(octx, "%s", opts->nl); } break; + case NFT_OBJECT_SECMARK: + nft_print(octx, " %s {", obj->handle.obj.name); + if (octx->handle > 0) + nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id); + nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab); + nft_print(octx, "%s", obj->secmark.ctx); + break; case NFT_OBJECT_CT_HELPER: nft_print(octx, " %s {", obj->handle.obj.name); if (octx->handle > 0) @@ -1793,6 +1804,7 @@ static const char * const obj_type_name_array[] = { [NFT_OBJECT_CT_HELPER] = "ct helper", [NFT_OBJECT_LIMIT] = "limit", [NFT_OBJECT_CT_TIMEOUT] = "ct timeout", + [NFT_OBJECT_SECMARK] = "secmark", }; const char *obj_type_name(enum stmt_types type) @@ -1808,6 +1820,7 @@ static uint32_t obj_type_cmd_array[NFT_OBJECT_MAX + 1] = { [NFT_OBJECT_CT_HELPER] = CMD_OBJ_CT_HELPER, [NFT_OBJECT_LIMIT] = CMD_OBJ_LIMIT, [NFT_OBJECT_CT_TIMEOUT] = CMD_OBJ_CT_TIMEOUT, + [NFT_OBJECT_SECMARK] = CMD_OBJ_SECMARK, }; uint32_t obj_type_to_cmd(uint32_t type) @@ -2167,6 +2180,9 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_LIMIT: case CMD_OBJ_LIMITS: return do_list_obj(ctx, cmd, NFT_OBJECT_LIMIT); + case CMD_OBJ_SECMARK: + case CMD_OBJ_SECMARKS: + return do_list_obj(ctx, cmd, NFT_OBJECT_SECMARK); case CMD_OBJ_FLOWTABLES: return do_list_flowtables(ctx, cmd); default: -- cgit v1.2.3