From: Piotr Sawicki <piotr.sawicki@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH] libnetfilter_queue: Add information about retrieving UID/GID/SECCTX fields
Date: Mon, 26 Jun 2017 22:31:30 +0200 [thread overview]
Message-ID: <oirqus$3p1$1@blaine.gmane.org> (raw)
From: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com>
Add information about retrieving UID/GID/SECCTX fields
Signed-off-by: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com>
---
src/libnetfilter_queue.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 1702158..4002687 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -698,6 +698,13 @@ EXPORT_SYMBOL(nfq_set_mode);
flags &= ~NFQA_CFG_F_FAIL_OPEN;
err = nfq_set_queue_flags(qh, mask, flags);
\endverbatim
+ * - NFQA_CFG_F_SECCTX: the kernel will dump security context of the
socket to
+ * which each packet belongs.
+ *
+ * \warning
+ * When fragmentation occurs and NFQA_CFG_F_GSO is NOT set then the kernel
+ * dumps UID/GID and security context fields only for one fragment. To
deal with
+ * this limitation always set NFQA_CFG_F_GSO.
*
* \return -1 on error with errno set appropriately; =0 otherwise.
*/
@@ -1201,6 +1208,10 @@ EXPORT_SYMBOL(nfq_get_packet_hw);
/**
* nfq_get_uid - get the UID of the user the packet belongs to
* \param nfad Netlink packet data handle passed to callback function
+ * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets
+ * may be pushed into the queue. In this case, only one fragment will
+ * have the UID field set. To deal with this issue always set
+ * NFQA_CFG_F_GSO.
*
* \return 1 if there is a UID available, 0 otherwise.
*/
@@ -1217,6 +1228,10 @@ EXPORT_SYMBOL(nfq_get_uid);
/**
* nfq_get_gid - get the GID of the user the packet belongs to
* \param nfad Netlink packet data handle passed to callback function
+ * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets
+ * may be pushed into the queue. In this case, only one fragment will
+ * have the GID field set. To deal with this issue always set
+ * NFQA_CFG_F_GSO.
*
* \return 1 if there is a GID available, 0 otherwise.
*/
@@ -1235,6 +1250,10 @@ EXPORT_SYMBOL(nfq_get_gid);
* nfq_get_secctx - get the security context for this packet
* \param nfad Netlink packet data handle passed to callback function
* \param secdata data to write the security context to
+ * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets
+ * may be pushed into the queue. In this case, only one fragment will
+ * have the SECCTX field set. To deal with this issue always set
+ * NFQA_CFG_F_GSO.
*
* \return -1 on error, otherwise > 0
*/
--
2.7.4
next reply other threads:[~2017-06-26 20:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-26 20:31 Piotr Sawicki [this message]
2017-06-27 16:48 ` [PATCH] libnetfilter_queue: Add information about retrieving UID/GID/SECCTX fields Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='oirqus$3p1$1@blaine.gmane.org' \
--to=piotr.sawicki@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.