[PATCHSET 0/5] SECMARK 2.0

[PATCHSET 0/5] SECMARK 2.0

[James Morris]

These are the iptables userland patches for the latest version of secmark, 
which has just been committed to the -mm tree.

Secmark implements a new scheme for adding security markings to packets 
via iptables, as well as changes to SELinux to use these markings for 
security policy enforcement.  The rationale for this scheme is explained 
and discussed in detail in the original threads: 
http://thread.gmane.org/gmane.linux.network/34927/ 
http://thread.gmane.org/gmane.linux.network/35244/

The latest kernel patches were posted here: 
http://marc.theaimsgroup.com/?l=linux-netdev&m=114794408021148&w=2 for 

Examples of policy and rulesets, as well as a full archive of patches for 
iptables and SELinux userland, may be found at:
http://people.redhat.com/jmorris/selinux/secmark/

The iptables userland patches do the following:

o Add support for linking to libselinux
o Add SECMARK targets for IPv4 and IPv6
o Add CONNSECMARK targets for IPv4 and IPv6

Following a suggestion from Patrick, the CONNSEMARK target now handles all 
conntrack-related functions.

Any questions, please let me know.


If it looks ok, please consider applying.




- James
-- 
James Morris
<jmorris@namei.org>

[PATCH 01/05] secmark: Add libselinux support

[James Morris]

This patch adds the infrastructure for linking iptables against
libselinux, for use with the SECMARK target.  This is enabled
by setting DO_SELINUX=1 in the build environment.


Signed-off-by: James Morris <jmorris@namei.org>

---

 Makefile            |   14 +++++++++++++-
 Rules.make          |   11 +++++++++--
 extensions/Makefile |   15 ++++++++++++++-
 3 files changed, 36 insertions(+), 4 deletions(-)


diff -purN -X dontdiff iptables.p/extensions/Makefile iptables.w/extensions/Makefile
--- iptables.p/extensions/Makefile	2006-04-14 23:05:41.000000000 -0400
+++ iptables.w/extensions/Makefile	2006-05-17 17:05:15.000000000 -0400
@@ -8,6 +8,11 @@
 PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
 PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
 
+ifeq ($(DO_SELINUX), 1)
+PF_EXT_SE_SLIB:=
+PF6_EXT_SE_SLIB:=
+endif
+
 # Optionals
 PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
 PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
@@ -43,26 +48,34 @@ OPTIONALS+=$(patsubst %,IPv6:%,$(PF6_EXT
 
 ifndef NO_SHARED_LIBS
 SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so)
+SHARED_SE_LIBS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).so)
 EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so)
+EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SE_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so)
 
 ifeq ($(DO_IPV6), 1)
 SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so)
+SHARED_SE_LIBS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).so)
 EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so)
+EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SE_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so)
 endif
 else 	# NO_SHARED_LIBS
 EXT_OBJS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).o)
+EXT_OBJS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).o)
 EXT_FUNC+=$(foreach T,$(PF_EXT_SLIB),ipt_$(T))
+EXT_FUNC+=$(foreach T,$(PF_EXT_SE_SLIB),ipt_$(T))
 EXT_OBJS+= extensions/initext.o
 ifeq ($(DO_IPV6), 1)
 EXT6_OBJS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).o)
+EXT6_OBJS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).o)
 EXT6_FUNC+=$(foreach T,$(PF6_EXT_SLIB),ip6t_$(T))
+EXT6_FUNC+=$(foreach T,$(PF6_EXT_SE_SLIB),ip6t_$(T))
 EXT6_OBJS+= extensions/initext6.o
 endif	# DO_IPV6
 endif	# NO_SHARED_LIBS
 
 ifndef TOPLEVEL_INCLUDED
 local:
-	cd .. && $(MAKE) $(SHARED_LIBS)
+	cd .. && $(MAKE) $(SHARED_LIBS) $(SHARED_SE_LIBS)
 endif
 
 ifdef NO_SHARED_LIBS
diff -purN -X dontdiff iptables.p/Makefile iptables.w/Makefile
--- iptables.p/Makefile	2006-05-16 17:55:05.000000000 -0400
+++ iptables.w/Makefile	2006-05-17 17:05:15.000000000 -0400
@@ -31,6 +31,11 @@ ifeq ($(shell [ -f /usr/include/netinet/
 DO_IPV6:=1
 endif
 
+# Enable linking to libselinux via enviornment 'DO_SELINUX=1'
+ifndef DO_SELINUX
+DO_SELINUX=0
+endif
+
 COPT_FLAGS:=-O2
 CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG
 
@@ -93,17 +98,24 @@ endif
 
 ifndef NO_SHARED_LIBS
 DEPFILES = $(SHARED_LIBS:%.so=%.d)
+DEPFILES += $(SHARED_SE_LIBS:%.so=%.d)
 SH_CFLAGS:=$(CFLAGS) -fPIC
 STATIC_LIBS  =
 STATIC6_LIBS =
 LDFLAGS      = -rdynamic
 LDLIBS       = -ldl -lnsl
+ifeq ($(DO_SELINUX), 1)
+LDLIBS       += -lselinux
+endif
 else
 DEPFILES = $(EXT_OBJS:%.o=%.d)
 STATIC_LIBS  = extensions/libext.a
 STATIC6_LIBS = extensions/libext6.a
 LDFLAGS      = -static
-LDLIBS       =
+LDLIBS	     =
+ifeq ($(DO_SELINUX), 1)
+LDLIBS       += -lselinux
+endif
 endif
 
 .PHONY: default
diff -purN -X dontdiff iptables.p/Rules.make iptables.w/Rules.make
--- iptables.p/Rules.make	2006-04-28 04:09:07.000000000 -0400
+++ iptables.w/Rules.make	2006-05-17 17:05:15.000000000 -0400
@@ -1,12 +1,12 @@
 #! /usr/bin/make
 
-all: $(SHARED_LIBS) $(EXTRAS)
+all: $(SHARED_LIBS) $(SHARED_SE_LIBS) $(EXTRAS)
 
 experimental: $(EXTRAS_EXP)
 
 # Have to handle extensions which no longer exist.
 clean: $(EXTRA_CLEANS)
-	rm -f $(SHARED_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o)
+	rm -f $(SHARED_LIBS) $(SHARED_SE_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o) $(SHARED_SE_LIBS:%.so=%_sh.o)
 	rm -f extensions/initext.c extensions/initext6.c
 	@find . -name '*.[ao]' -o -name '*.so' | xargs rm -f
 
@@ -33,6 +33,13 @@ $(SHARED_LIBS:%.so=%.d): %.d: %.c
 $(SHARED_LIBS): %.so : %_sh.o
 	$(LD) -shared $(EXT_LDFLAGS) -o $@ $<
 
+$(SHARED_SE_LIBS:%.so=%.d): %.d: %.c
+	@-$(CC) -M -MG $(CFLAGS) $< | \
+		sed -e 's@^.*\.o:@$*.d $*_sh.o:@' > $@
+
+$(SHARED_SE_LIBS): %.so : %_sh.o
+	$(LD) -shared $(EXT_LDFLAGS) -o $@ $< $(LDLIBS)
+
 %_sh.o : %.c
 	$(CC) $(SH_CFLAGS) -o $@ -c $<
 

[PATCH 02/05] secmark: Add libipt_SECMARK

[James Morris]

This patch adds the shared library module for the SECMARK target (IPv4).

Signed-off-by: James Morris <jmorris@namei.org>

---

 extensions/Makefile           |    2 
 extensions/libipt_SECMARK.c   |  125 ++++++++++++++++++++++++++++++++++++++++++
 extensions/libipt_SECMARK.man |    7 ++
 3 files changed, 133 insertions(+), 1 deletion(-)

diff -purN -X dontdiff iptables.p/extensions/libipt_SECMARK.c iptables.w/extensions/libipt_SECMARK.c
--- iptables.p/extensions/libipt_SECMARK.c	1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libipt_SECMARK.c	2006-05-17 20:06:46.000000000 -0400
@@ -0,0 +1,125 @@
+/*
+ * Shared library add-on to iptables to add SECMARK target support.
+ *
+ * Based on the MARK target.
+ *
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <iptables.h>
+#include <linux/netfilter/xt_SECMARK.h>
+
+#define PFX "SECMARK target: "
+
+static void help(void)
+{
+	printf(
+"SECMARK target v%s options:\n"
+"  --selctx value                     Set the SELinux security context\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "selctx", 1, 0, '1' },
+	{ 0 }
+};
+
+/* Initialize the target. */
+static void init(struct ipt_entry_target *t, unsigned int *nfcache)
+{ }
+
+/*
+ * Function which parses command options; returns true if it
+ * ate an option.
+ */
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+                 const struct ipt_entry *entry, struct ipt_entry_target **target)
+{
+	struct xt_secmark_target_info *info =
+		(struct xt_secmark_target_info*)(*target)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags & SECMARK_MODE_SEL)
+			exit_error(PARAMETER_PROBLEM, PFX
+				   "Can't specify --selctx twice");
+		info->mode = SECMARK_MODE_SEL;
+
+		if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
+			exit_error(PARAMETER_PROBLEM, PFX
+				   "Maximum length %u exceeded by --selctx"
+				   " parameter (%zu)",
+				   SECMARK_SELCTX_MAX-1, strlen(optarg));
+
+		strcpy(info->u.sel.selctx, optarg);
+		*flags |= SECMARK_MODE_SEL;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM, PFX "parameter required");
+}
+
+static void print_secmark(struct xt_secmark_target_info *info)
+{
+	switch (info->mode) {
+	case SECMARK_MODE_SEL:
+		printf("selctx %s ", info->u.sel.selctx);\
+		break;
+	
+	default:
+		exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+	}
+}
+
+static void print(const struct ipt_ip *ip,
+		  const struct ipt_entry_target *target, int numeric)
+{
+	struct xt_secmark_target_info *info =
+		(struct xt_secmark_target_info*)(target)->data;
+
+	printf("SECMARK ");
+	print_secmark(info);
+}
+
+/* Saves the target info in parsable form to stdout. */
+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+	struct xt_secmark_target_info *info =
+		(struct xt_secmark_target_info*)target->data;
+
+	printf("--");
+	print_secmark(info);
+}
+
+static struct iptables_target secmark = {
+	.next		= NULL,
+	.name		= "SECMARK",
+	.version	= IPTABLES_VERSION,
+	.revision	= 0,
+	.size		= IPT_ALIGN(sizeof(struct xt_secmark_target_info)),
+	.userspacesize	= IPT_ALIGN(sizeof(struct xt_secmark_target_info)),
+	.help		= &help,
+	.init		= &init,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_target(&secmark);
+}
diff -purN -X dontdiff iptables.p/extensions/libipt_SECMARK.man iptables.w/extensions/libipt_SECMARK.man
--- iptables.p/extensions/libipt_SECMARK.man	1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libipt_SECMARK.man	2006-05-17 17:08:25.000000000 -0400
@@ -0,0 +1,7 @@
+This is used to set the security mark value associated with the
+packet for use by security subsystems such as SELinux.  It is only
+valid in the
+.B mangle
+table.
+.TP
+.BI "--selctx " "security_context"
diff -purN -X dontdiff iptables.p/extensions/Makefile iptables.w/extensions/Makefile
--- iptables.p/extensions/Makefile	2006-05-17 20:08:11.000000000 -0400
+++ iptables.w/extensions/Makefile	2006-05-17 20:05:11.000000000 -0400
@@ -9,7 +9,7 @@ PF_EXT_SLIB:=ah addrtype comment connlim
 PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
 
 ifeq ($(DO_SELINUX), 1)
-PF_EXT_SE_SLIB:=
+PF_EXT_SE_SLIB:=SECMARK
 PF6_EXT_SE_SLIB:=
 endif
 

[PATCH 03/05] secmark: Add libip6t_SECMARK

[James Morris]

This patch adds the shared library module for the SECMARK target (IPv6).

Signed-off-by: James Morris <jmorris@namei.org>

---

diff -purN -X dontdiff iptables.p/extensions/libip6t_SECMARK.c iptables.w/extensions/libip6t_SECMARK.c
--- iptables.p/extensions/libip6t_SECMARK.c	1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libip6t_SECMARK.c	2006-05-17 20:09:57.000000000 -0400
@@ -0,0 +1,125 @@
+/*
+ * Shared library add-on to iptables to add SECMARK target support.
+ *
+ * Based on the MARK target.
+ *
+ * IPv6 version.
+ *
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ip6tables.h>
+#include <linux/netfilter/xt_SECMARK.h>
+
+#define PFX "SECMARK target: "
+
+static void help(void)
+{
+	printf(
+"SECMARK target v%s options:\n"
+"  --selctx value                     Set the SELinux security context\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "selctx", 1, 0, '1' },
+	{ 0 }
+};
+
+/* Initialize the target. */
+static void init(struct ip6t_entry_target *t, unsigned int *nfcache)
+{ }
+
+/*
+ * Function which parses command options; returns true if it
+ * ate an option.
+ */
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+                 const struct ip6t_entry *entry, struct ip6t_entry_target **target)
+{
+	struct xt_secmark_target_info *info =
+		(struct xt_secmark_target_info*)(*target)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags & SECMARK_MODE_SEL)
+			exit_error(PARAMETER_PROBLEM, PFX
+				   "Can't specify --selctx twice");
+		info->mode = SECMARK_MODE_SEL;
+
+		if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
+			exit_error(PARAMETER_PROBLEM, PFX
+				   "Maximum length %u exceeded by --selctx"
+				   " parameter (%zu)",
+				   SECMARK_SELCTX_MAX-1, strlen(optarg));
+
+		strcpy(info->u.sel.selctx, optarg);
+		*flags |= SECMARK_MODE_SEL;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM, PFX "parameter required");
+}
+
+static void print_secmark(struct xt_secmark_target_info *info)
+{
+	switch (info->mode) {
+	case SECMARK_MODE_SEL:
+		printf("selctx %s ", info->u.sel.selctx);\
+		break;
+	
+	default:
+		exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+	}
+}
+
+static void print(const struct ip6t_ip6 *ip,
+		  const struct ip6t_entry_target *target, int numeric)
+{
+	struct xt_secmark_target_info *info =
+		(struct xt_secmark_target_info*)(target)->data;
+
+	printf("SECMARK ");
+	print_secmark(info);
+}
+
+/* Saves the target info in parsable form to stdout. */
+static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
+{
+	struct xt_secmark_target_info *info =
+		(struct xt_secmark_target_info*)target->data;
+
+	printf("--");
+	print_secmark(info);
+}
+
+static struct ip6tables_target secmark = {
+	.name		= "SECMARK",
+	.version	= IPTABLES_VERSION,
+	.size		= IP6T_ALIGN(sizeof(struct xt_secmark_target_info)),
+	.userspacesize	= IP6T_ALIGN(sizeof(struct xt_secmark_target_info)),
+	.help		= &help,
+	.init		= &init,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_target6(&secmark);
+}
diff -purN -X dontdiff iptables.p/extensions/libip6t_SECMARK.man iptables.w/extensions/libip6t_SECMARK.man
--- iptables.p/extensions/libip6t_SECMARK.man	1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libip6t_SECMARK.man	2006-05-17 20:09:24.000000000 -0400
@@ -0,0 +1,7 @@
+This is used to set the security mark value associated with the
+packet for use by security subsystems such as SELinux.  It is only
+valid in the
+.B mangle
+table.
+.TP
+.BI "--selctx " "security_context"
diff -purN -X dontdiff iptables.p/extensions/Makefile iptables.w/extensions/Makefile
--- iptables.p/extensions/Makefile	2006-05-17 20:09:15.000000000 -0400
+++ iptables.w/extensions/Makefile	2006-05-17 20:09:24.000000000 -0400
@@ -10,7 +10,7 @@ PF6_EXT_SLIB:=connmark eui64 hl icmp6 le
 
 ifeq ($(DO_SELINUX), 1)
 PF_EXT_SE_SLIB:=SECMARK
-PF6_EXT_SE_SLIB:=
+PF6_EXT_SE_SLIB:=SECMARK
 endif
 
 # Optionals

[PATCH 04/05] secmark: Add libipt_CONNSECMARK

[James Morris]

This patch adds the shared library module for the CONNSECMARK target 
(IPv4).

Signed-off-by: James Morris <jmorris@namei.org>

---

 extensions/Makefile               |    2 
 extensions/libipt_CONNSECMARK.c   |  126 ++++++++++++++++++++++++++++++++++++++
 extensions/libipt_CONNSECMARK.man |   15 ++++
 3 files changed, 142 insertions(+), 1 deletion(-)

diff -purN -X dontdiff iptables.p/extensions/libipt_CONNSECMARK.c iptables.w/extensions/libipt_CONNSECMARK.c
--- iptables.p/extensions/libipt_CONNSECMARK.c	1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libipt_CONNSECMARK.c	2006-05-17 20:16:34.000000000 -0400
@@ -0,0 +1,126 @@
+/*
+ * Shared library add-on to iptables to add CONNSECMARK target support.
+ *
+ * Based on the MARK and CONNMARK targets.
+ *
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <iptables.h>
+#include <linux/netfilter/xt_CONNSECMARK.h>
+
+#define PFX "CONNSECMARK target: "
+
+static void help(void)
+{
+	printf(
+"CONNSECMARK target v%s options:\n"
+"  --save                   Copy security mark from packet to conntrack\n"
+"  --restore                Copy security mark from connection to packet\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "save", 0, 0, '1' },
+	{ "restore", 0, 0, '2' },
+	{ 0 }
+};
+
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+                 const struct ipt_entry *entry, struct ipt_entry_target **target)
+{
+	struct xt_connsecmark_target_info *info =
+		(struct xt_connsecmark_target_info*)(*target)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags & CONNSECMARK_SAVE)
+			exit_error(PARAMETER_PROBLEM, PFX
+				   "Can't specify --save twice");
+		info->mode = CONNSECMARK_SAVE;
+		*flags |= CONNSECMARK_SAVE;
+		break;
+
+	case '2':
+		if (*flags & CONNSECMARK_RESTORE)
+			exit_error(PARAMETER_PROBLEM, PFX
+				   "Can't specify --restore twice");
+		info->mode = CONNSECMARK_RESTORE;
+		*flags |= CONNSECMARK_RESTORE;
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM, PFX "parameter required");
+
+	if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE))
+		exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save "
+		           "or --restore is allowed");
+}
+
+static void print_connsecmark(struct xt_connsecmark_target_info *info)
+{
+	switch (info->mode) {
+	case CONNSECMARK_SAVE:
+		printf("save ");
+		break;
+		
+	case CONNSECMARK_RESTORE:
+		printf("restore ");
+		break;
+		
+	default:
+		exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+	}
+}
+
+static void print(const struct ipt_ip *ip,
+		  const struct ipt_entry_target *target, int numeric)
+{
+	struct xt_connsecmark_target_info *info =
+		(struct xt_connsecmark_target_info*)(target)->data;
+
+	printf("CONNSECMARK ");
+	print_connsecmark(info);
+}
+
+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+	struct xt_connsecmark_target_info *info =
+		(struct xt_connsecmark_target_info*)target->data;
+
+	printf("--");
+	print_connsecmark(info);
+}
+
+static struct iptables_target connsecmark = {
+	.next		= NULL,
+	.name		= "CONNSECMARK",
+	.version	= IPTABLES_VERSION,
+	.revision	= 0,
+	.size		= IPT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
+	.userspacesize	= IPT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
+	.parse		= &parse,
+	.help		= &help,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_target(&connsecmark);
+}
diff -purN -X dontdiff iptables.p/extensions/libipt_CONNSECMARK.man iptables.w/extensions/libipt_CONNSECMARK.man
--- iptables.p/extensions/libipt_CONNSECMARK.man	1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libipt_CONNSECMARK.man	2006-05-17 20:11:05.000000000 -0400
@@ -0,0 +1,15 @@
+This module copies security markings from packets to connections
+(if unlabeled), and from connections back to packets (also only
+if unlabeled).  Typically used in conjunction with SECMARK, it is
+only valid in the
+.B mangle
+table.
+.TP
+.B --save
+If the packet has a security marking, copy it to the connection
+if the connection is not marked.
+.TP
+.B --restore
+If the packet does not have a security marking, and the connection
+does, copy the security marking from the connection to the packet.
+
diff -purN -X dontdiff iptables.p/extensions/Makefile iptables.w/extensions/Makefile
--- iptables.p/extensions/Makefile	2006-05-17 20:20:36.000000000 -0400
+++ iptables.w/extensions/Makefile	2006-05-17 20:11:05.000000000 -0400
@@ -9,7 +9,7 @@ PF_EXT_SLIB:=ah addrtype comment connlim
 PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
 
 ifeq ($(DO_SELINUX), 1)
-PF_EXT_SE_SLIB:=SECMARK
+PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
 PF6_EXT_SE_SLIB:=SECMARK
 endif
 

[PATCH 05/05] secmark: Add libip6t_CONNSECMARK

[James Morris]

This patch adds the shared library module for the CONNSECMARK target 
(IPv6).

Signed-off-by: James Morris <jmorris@namei.org>

---

 extensions/Makefile                |    2 
 extensions/libip6t_CONNSECMARK.c   |  124 +++++++++++++++++++++++++++++++++++++
 extensions/libip6t_CONNSECMARK.man |   15 ++++
 3 files changed, 140 insertions(+), 1 deletion(-)

diff -purN -X dontdiff iptables.p/extensions/libip6t_CONNSECMARK.c iptables.w/extensions/libip6t_CONNSECMARK.c
--- iptables.p/extensions/libip6t_CONNSECMARK.c	1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libip6t_CONNSECMARK.c	2006-05-17 23:27:41.000000000 -0400
@@ -0,0 +1,124 @@
+/*
+ * Shared library add-on to ip6tables to add CONNSECMARK target support.
+ *
+ * Based on the MARK and CONNMARK targets.
+ *
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ip6tables.h>
+#include <linux/netfilter/xt_CONNSECMARK.h>
+
+#define PFX "CONNSECMARK target: "
+
+static void help(void)
+{
+	printf(
+"CONNSECMARK target v%s options:\n"
+"  --save                   Copy security mark from packet to conntrack\n"
+"  --restore                Copy security mark from connection to packet\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "save", 0, 0, '1' },
+	{ "restore", 0, 0, '2' },
+	{ 0 }
+};
+
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+                 const struct ip6t_entry *entry, struct ip6t_entry_target **target)
+{
+	struct xt_connsecmark_target_info *info =
+		(struct xt_connsecmark_target_info*)(*target)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags & CONNSECMARK_SAVE)
+			exit_error(PARAMETER_PROBLEM, PFX
+				   "Can't specify --save twice");
+		info->mode = CONNSECMARK_SAVE;
+		*flags |= CONNSECMARK_SAVE;
+		break;
+
+	case '2':
+		if (*flags & CONNSECMARK_RESTORE)
+			exit_error(PARAMETER_PROBLEM, PFX
+				   "Can't specify --restore twice");
+		info->mode = CONNSECMARK_RESTORE;
+		*flags |= CONNSECMARK_RESTORE;
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM, PFX "parameter required");
+
+	if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE))
+		exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save "
+		           "or --restore is allowed");
+}
+
+static void print_connsecmark(struct xt_connsecmark_target_info *info)
+{
+	switch (info->mode) {
+	case CONNSECMARK_SAVE:
+		printf("save ");
+		break;
+		
+	case CONNSECMARK_RESTORE:
+		printf("restore ");
+		break;
+		
+	default:
+		exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+	}
+}
+
+static void print(const struct ip6t_ip6 *ip,
+		  const struct ip6t_entry_target *target, int numeric)
+{
+	struct xt_connsecmark_target_info *info =
+		(struct xt_connsecmark_target_info*)(target)->data;
+
+	printf("CONNSECMARK ");
+	print_connsecmark(info);
+}
+
+static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
+{
+	struct xt_connsecmark_target_info *info =
+		(struct xt_connsecmark_target_info*)target->data;
+
+	printf("--");
+	print_connsecmark(info);
+}
+
+static struct ip6tables_target connsecmark = {
+	.name		= "CONNSECMARK",
+	.version	= IPTABLES_VERSION,
+	.size		= IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info)),
+	.userspacesize	= IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info)),
+	.parse		= &parse,
+	.help		= &help,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_target6(&connsecmark);
+}
diff -purN -X dontdiff iptables.p/extensions/libip6t_CONNSECMARK.man iptables.w/extensions/libip6t_CONNSECMARK.man
--- iptables.p/extensions/libip6t_CONNSECMARK.man	1969-12-31 19:00:00.000000000 -0500
+++ iptables.w/extensions/libip6t_CONNSECMARK.man	2006-05-17 23:23:25.000000000 -0400
@@ -0,0 +1,15 @@
+This module copies security markings from packets to connections
+(if unlabeled), and from connections back to packets (also only
+if unlabeled).  Typically used in conjunction with SECMARK, it is
+only valid in the
+.B mangle
+table.
+.TP
+.B --save
+If the packet has a security marking, copy it to the connection
+if the connection is not marked.
+.TP
+.B --restore
+If the packet does not have a security marking, and the connection
+does, copy the security marking from the connection to the packet.
+
diff -purN -X dontdiff iptables.p/extensions/Makefile iptables.w/extensions/Makefile
--- iptables.p/extensions/Makefile	2006-05-17 23:26:30.000000000 -0400
+++ iptables.w/extensions/Makefile	2006-05-17 23:25:37.000000000 -0400
@@ -10,7 +10,7 @@ PF6_EXT_SLIB:=connmark eui64 hl icmp6 le
 
 ifeq ($(DO_SELINUX), 1)
 PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
-PF6_EXT_SE_SLIB:=SECMARK
+PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK
 endif
 
 # Optionals

Re: [PATCHSET 0/5] SECMARK 2.0

[Patrick McHardy]

James Morris wrote:
> These are the iptables userland patches for the latest version of secmark, 
> which has just been committed to the -mm tree.
> 
> [..]
> 
> If it looks ok, please consider applying.


Looks fine. SVN is currently broken, I'll apply it once it works again.