Add support for new nft object secmark holding security context strings.
The following should demonstrate its usage (based on SELinux context):
# define a tag containing a context string
nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
nft list secmarks
# set the secmark
nft add rule inet filter input tcp dport 22 meta secmark set sshtag
# map usage
nft add map inet filter secmapping { type inet_service : secmark \; }
nft add element inet filter secmapping { 22 : sshtag }
nft list maps
nft list map inet filter secmapping
nft add rule inet filter input meta secmark set tcp dport map @secmapping
[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
};
#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1)
+/**
+ * enum nft_secmark_attributes - nf_tables secmark expression netlink attributes
+ *
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING)
+ */
+enum nft_secmark_attributes {
+ NFTA_SECMARK_UNSPEC,
+ NFTA_SECMARK_CTX,
+ __NFTA_SECMARK_MAX,
+};
+#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
+
+/* Max security context length */
+#define NFT_SECMARK_CTX_MAXLEN 256
+
/**
* enum nft_reject_types - nf_tables reject expression reject types
*
#define NFT_OBJECT_CONNLIMIT 5
#define NFT_OBJECT_TUNNEL 6
#define NFT_OBJECT_CT_TIMEOUT 7
-#define __NFT_OBJECT_MAX 8
+#define NFT_OBJECT_SECMARK 8
+#define __NFT_OBJECT_MAX 9
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
/**
uint32_t flags;
};
+struct secmark {
+ char ctx[NFT_SECMARK_CTX_MAXLEN];
+};
+
/**
* struct obj - nftables stateful object statement
*
struct ct_helper ct_helper;
struct limit limit;
struct ct_timeout ct_timeout;
+ struct secmark secmark;
};
};
* @CMD_OBJ_LIMIT: limit
* @CMD_OBJ_LIMITS: multiple limits
* @CMD_OBJ_FLOWTABLES: flow tables
+ * @CMD_OBJ_SECMARK: secmark
+ * @CMD_OBJ_SECMARKS: multiple secmarks
*/
enum cmd_obj {
CMD_OBJ_INVALID,
CMD_OBJ_FLOWTABLE,
CMD_OBJ_FLOWTABLES,
CMD_OBJ_CT_TIMEOUT,
+ CMD_OBJ_SECMARK,
+ CMD_OBJ_SECMARKS,
};
struct markup {
case CMD_OBJ_CT_HELPER:
case CMD_OBJ_LIMIT:
case CMD_OBJ_CT_TIMEOUT:
+ case CMD_OBJ_SECMARK:
return obj_evaluate(ctx, cmd->object);
default:
BUG("invalid command object type %u\n", cmd->obj);
case CMD_OBJ_CT_HELPER:
case CMD_OBJ_CT_TIMEOUT:
case CMD_OBJ_LIMIT:
+ case CMD_OBJ_SECMARK:
return 0;
default:
BUG("invalid command object type %u\n", cmd->obj);
return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_CT_TIMEOUT);
case CMD_OBJ_LIMIT:
return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_LIMIT);
+ case CMD_OBJ_SECMARK:
+ return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_SECMARK);
case CMD_OBJ_COUNTERS:
case CMD_OBJ_QUOTAS:
case CMD_OBJ_CT_HELPERS:
case CMD_OBJ_LIMITS:
case CMD_OBJ_SETS:
case CMD_OBJ_FLOWTABLES:
+ case CMD_OBJ_SECMARKS:
if (cmd->handle.table.name == NULL)
return 0;
if (table_lookup(&cmd->handle, ctx->cache) == NULL)
json_object_update(root, tmp);
json_decref(tmp);
break;
+ case NFT_OBJECT_SECMARK:
+ tmp = json_pack("{s:s}",
+ "context", obj->secmark.ctx);
+ json_object_update(root, tmp);
+ json_decref(tmp);
+ break;
case NFT_OBJECT_CT_HELPER:
tmp = json_pack("{s:s, s:o, s:s}",
"type", obj->ct_helper.name, "protocol",
case CMD_OBJ_LIMITS:
root = do_list_obj_json(ctx, cmd, NFT_OBJECT_LIMIT);
break;
+ case CMD_OBJ_SECMARK:
+ case CMD_OBJ_SECMARKS:
+ root = do_list_obj_json(ctx, cmd, NFT_OBJECT_SECMARK);
+ break;
case CMD_OBJ_FLOWTABLES:
root = do_list_flowtables_json(ctx, cmd);
break;
nftnl_obj_set_u32(nlo, NFTNL_OBJ_QUOTA_FLAGS,
obj->quota.flags);
break;
+ case NFT_OBJECT_SECMARK:
+ nftnl_obj_set_str(nlo, NFTNL_OBJ_SECMARK_CTX,
+ obj->secmark.ctx);
+ break;
case NFT_OBJECT_CT_HELPER:
nftnl_obj_set_str(nlo, NFTNL_OBJ_CT_HELPER_NAME,
obj->ct_helper.name);
obj->quota.flags =
nftnl_obj_get_u32(nlo, NFTNL_OBJ_QUOTA_FLAGS);
break;
+ case NFT_OBJECT_SECMARK:
+ snprintf(obj->secmark.ctx, sizeof(obj->secmark.ctx), "%s",
+ nftnl_obj_get_str(nlo, NFTNL_OBJ_SECMARK_CTX));
+ break;
case NFT_OBJECT_CT_HELPER:
snprintf(obj->ct_helper.name, sizeof(obj->ct_helper.name), "%s",
nftnl_obj_get_str(nlo, NFTNL_OBJ_CT_HELPER_NAME));
struct flowtable *flowtable;
struct counter *counter;
struct quota *quota;
+ struct secmark *secmark;
struct ct *ct;
struct limit *limit;
const struct datatype *datatype;
%token QUOTA "quota"
%token USED "used"
+%token SECMARK "secmark"
+%token SECMARKS "secmarks"
+
%token NANOSECOND "nanosecond"
%token MICROSECOND "microsecond"
%token MILLISECOND "millisecond"
%type <flowtable> flowtable_block_alloc flowtable_block
%destructor { flowtable_free($$); } flowtable_block_alloc
-%type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block limit_block
+%type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block limit_block secmark_block
%destructor { obj_free($$); } obj_block_alloc
%type <list> stmt_list
%type <expr> and_rhs_expr exclusive_or_rhs_expr inclusive_or_rhs_expr
%destructor { expr_free($$); } and_rhs_expr exclusive_or_rhs_expr inclusive_or_rhs_expr
-%type <obj> counter_obj quota_obj ct_obj_alloc limit_obj
-%destructor { obj_free($$); } counter_obj quota_obj ct_obj_alloc limit_obj
+%type <obj> counter_obj quota_obj ct_obj_alloc limit_obj secmark_obj
+%destructor { obj_free($$); } counter_obj quota_obj ct_obj_alloc limit_obj secmark_obj
%type <expr> relational_expr
%destructor { expr_free($$); } relational_expr
%destructor { xfree($$); } quota_config
%type <limit> limit_config
%destructor { xfree($$); } limit_config
+%type <secmark> secmark_config
+%destructor { xfree($$); } secmark_config
%type <expr> tcp_hdr_expr
%destructor { expr_free($$); } tcp_hdr_expr
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
+ | SECMARK obj_spec secmark_obj
+ {
+ $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SECMARK, &$2, &@$, $3);
+ }
;
replace_cmd : RULE ruleid_spec rule
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_LIMIT, &$2, &@$, $3);
}
+ | SECMARK obj_spec secmark_obj
+ {
+ $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SECMARK, &$2, &@$, $3);
+ }
;
insert_cmd : RULE rule_position rule
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_LIMIT, &$2, &@$, NULL);
}
+ | SECMARK obj_spec
+ {
+ $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+ }
+ | SECMARK objid_spec
+ {
+ $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+ }
;
get_cmd : ELEMENT set_spec set_block_expr
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_LIMIT, &$2, &@$, NULL);
}
+ | SECMARKS ruleset_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARKS, &$2, &@$, NULL);
+ }
+ | SECMARKS TABLE table_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
+ }
+ | SECMARK obj_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+ }
| RULESET ruleset_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_RULESET, &$2, &@$, NULL);
list_add_tail(&$4->list, &$1->objs);
$$ = $1;
}
+ | table_block SECMARK obj_identifier
+ obj_block_alloc '{' secmark_block '}'
+ stmt_separator
+ {
+ $4->location = @3;
+ $4->type = NFT_OBJECT_SECMARK;
+ handle_merge(&$4->handle, &$3);
+ handle_free(&$3);
+ list_add_tail(&$4->list, &$1->objs);
+ $$ = $1;
+ }
;
chain_block_alloc : /* empty */
$1->flags |= NFT_SET_OBJECT;
$$ = $1;
}
+ | map_block TYPE
+ data_type_expr COLON SECMARK
+ stmt_separator
+ {
+ $1->key = $3;
+ $1->objtype = NFT_OBJECT_SECMARK;
+ $1->flags |= NFT_SET_OBJECT;
+ $$ = $1;
+ }
| map_block FLAGS set_flag_list stmt_separator
{
$1->flags |= $3;
}
;
+secmark_block : /* empty */ { $$ = $<obj>-1; }
+ | secmark_block common_block
+ | secmark_block stmt_separator
+ | secmark_block secmark_config
+ {
+ $1->secmark = *$2;
+ $$ = $1;
+ }
+ ;
+
type_identifier : STRING { $$ = $1; }
| MARK { $$ = xstrdup("mark"); }
| DSCP { $$ = xstrdup("dscp"); }
}
;
+secmark_config : string
+ {
+ int ret;
+ struct secmark *secmark;
+ secmark = xzalloc(sizeof(*secmark));
+ ret = snprintf(secmark->ctx, sizeof(secmark->ctx), "%s", $1);
+ if (ret <= 0 || ret >= (int)sizeof(secmark->ctx)) {
+ erec_queue(error(&@1, "invalid context '%s', max length is %u\n", $1, (int)sizeof(secmark->ctx)), state->msgs);
+ YYERROR;
+ }
+ $$ = secmark;
+ }
+ ;
+
+secmark_obj : secmark_config
+ {
+ $$ = obj_alloc(&@$);
+ $$->type = NFT_OBJECT_SECMARK;
+ $$->secmark = *$1;
+ }
+ ;
+
ct_obj_type : HELPER { $$ = NFT_OBJECT_CT_HELPER; }
| TIMEOUT { $$ = NFT_OBJECT_CT_TIMEOUT; }
;
| PROTOCOL { $$ = NFT_META_PROTOCOL; }
| PRIORITY { $$ = NFT_META_PRIORITY; }
| RANDOM { $$ = NFT_META_PRANDOM; }
+ | SECMARK { $$ = NFT_META_SECMARK; }
;
meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
meta_stmt : META meta_key SET stmt_expr
{
- $$ = meta_stmt_alloc(&@$, $2, $4);
+ switch ($2) {
+ case NFT_META_SECMARK:
+ $$ = objref_stmt_alloc(&@$);
+ $$->objref.type = NFT_OBJECT_SECMARK;
+ $$->objref.expr = $4;
+ break;
+ default:
+ $$ = meta_stmt_alloc(&@$, $2, $4);
+ break;
+ }
}
| meta_key_unqualified SET stmt_expr
{
[NFT_OBJECT_QUOTA] = "quota",
[NFT_OBJECT_CT_HELPER] = "ct helper",
[NFT_OBJECT_LIMIT] = "limit",
+ [NFT_OBJECT_SECMARK] = "secmark",
};
unsigned int i;
if (obj->quota.flags)
obj->quota.flags = NFT_QUOTA_F_INV;
break;
+ case CMD_OBJ_SECMARK:
+ obj->type = NFT_OBJECT_SECMARK;
+ if (!json_unpack(root, "{s:s}", "context", tmp)) {
+ int ret;
+ ret = snprintf(obj->secmark.ctx, sizeof(obj->secmark.ctx), "%s", tmp);
+ if (ret < 0 || ret >= (int)sizeof(obj->secmark.ctx)) {
+ json_error(ctx, "Invalid secmark context '%s', max length is %zu.",
+ tmp, sizeof(obj->secmark.ctx));
+ obj_free(obj);
+ return NULL;
+ }
+ }
+ break;
case NFT_OBJECT_CT_HELPER:
cmd_obj = CMD_OBJ_CT_HELPER;
obj->type = NFT_OBJECT_CT_HELPER;
{ "counter", CMD_OBJ_COUNTER, json_parse_cmd_add_object },
{ "quota", CMD_OBJ_QUOTA, json_parse_cmd_add_object },
{ "ct helper", NFT_OBJECT_CT_HELPER, json_parse_cmd_add_object },
- { "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object }
+ { "limit", CMD_OBJ_LIMIT, json_parse_cmd_add_object },
+ { "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object }
};
unsigned int i;
json_t *tmp;
{ "meter", CMD_OBJ_METER, json_parse_cmd_add_set },
{ "meters", CMD_OBJ_METERS, json_parse_cmd_list_multiple },
{ "flowtables", CMD_OBJ_FLOWTABLES, json_parse_cmd_list_multiple },
+ { "secmark", CMD_OBJ_SECMARK, json_parse_cmd_add_object },
+ { "secmarks", CMD_OBJ_SECMARKS, json_parse_cmd_list_multiple },
};
unsigned int i;
json_t *tmp;
case CMD_OBJ_CT_HELPER:
case CMD_OBJ_CT_TIMEOUT:
case CMD_OBJ_LIMIT:
+ case CMD_OBJ_SECMARK:
obj_free(cmd->object);
break;
case CMD_OBJ_FLOWTABLE:
case CMD_OBJ_CT_HELPER:
case CMD_OBJ_CT_TIMEOUT:
case CMD_OBJ_LIMIT:
+ case CMD_OBJ_SECMARK:
return netlink_add_obj(ctx, cmd, flags);
case CMD_OBJ_FLOWTABLE:
return netlink_add_flowtable(ctx, cmd, flags);
NFT_OBJECT_CT_TIMEOUT);
case CMD_OBJ_LIMIT:
return netlink_delete_obj(ctx, cmd, NFT_OBJECT_LIMIT);
+ case CMD_OBJ_SECMARK:
+ return netlink_delete_obj(ctx, cmd, NFT_OBJECT_SECMARK);
case CMD_OBJ_FLOWTABLE:
return netlink_delete_flowtable(ctx, cmd);
default:
nft_print(octx, "%s", opts->nl);
}
break;
+ case NFT_OBJECT_SECMARK:
+ nft_print(octx, " %s {", obj->handle.obj.name);
+ if (octx->handle > 0)
+ nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
+ nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab);
+ nft_print(octx, "%s", obj->secmark.ctx);
+ break;
case NFT_OBJECT_CT_HELPER:
nft_print(octx, " %s {", obj->handle.obj.name);
if (octx->handle > 0)
[NFT_OBJECT_CT_HELPER] = "ct helper",
[NFT_OBJECT_LIMIT] = "limit",
[NFT_OBJECT_CT_TIMEOUT] = "ct timeout",
+ [NFT_OBJECT_SECMARK] = "secmark",
};
const char *obj_type_name(enum stmt_types type)
[NFT_OBJECT_CT_HELPER] = CMD_OBJ_CT_HELPER,
[NFT_OBJECT_LIMIT] = CMD_OBJ_LIMIT,
[NFT_OBJECT_CT_TIMEOUT] = CMD_OBJ_CT_TIMEOUT,
+ [NFT_OBJECT_SECMARK] = CMD_OBJ_SECMARK,
};
uint32_t obj_type_to_cmd(uint32_t type)
case CMD_OBJ_LIMIT:
case CMD_OBJ_LIMITS:
return do_list_obj(ctx, cmd, NFT_OBJECT_LIMIT);
+ case CMD_OBJ_SECMARK:
+ case CMD_OBJ_SECMARKS:
+ return do_list_obj(ctx, cmd, NFT_OBJECT_SECMARK);
case CMD_OBJ_FLOWTABLES:
return do_list_flowtables(ctx, cmd);
default:
"in" { return IN; }
"out" { return OUT; }
+"secmark" { return SECMARK; }
+"secmarks" { return SECMARKS; }
+
{addrstring} {
yylval->string = xstrdup(yytext);
return STRING;
[NFT_OBJECT_CT_HELPER] = "ct helper",
[NFT_OBJECT_LIMIT] = "limit",
[NFT_OBJECT_CT_TIMEOUT] = "ct timeout",
+ [NFT_OBJECT_SECMARK] = "secmark",
};
const char *objref_type_name(uint32_t type)
projects / thirdparty / nftables.git / commitdiff
