* [PATCH] libnetfitler_queue: receive security context info
@ 2015-05-25 10:26 Roman Kubiak
2015-05-26 13:11 ` Florian Westphal
0 siblings, 1 reply; 4+ messages in thread
From: Roman Kubiak @ 2015-05-25 10:26 UTC (permalink / raw)
To: netfilter-devel
From: RomanKubiak <r.kubiak@samsung.com>
Date: Mon, 25 May 2015 12:24:34 +0200
Subject: [PATCH] libnetfitler_queue: receive security context info
This will allow userspace to find the security context of each
packet (if it exists) and make decisions based on that.
It should work for SELinux and SMACK.
---
include/libnetfilter_queue/libnetfilter_queue.h | 2 ++
include/libnetfilter_queue/linux_nfnetlink_queue.h | 4 +++-
include/linux/netfilter/nfnetlink_queue.h | 4 +++-
src/libnetfilter_queue.c | 18 ++++++++++++++++++
utils/nfqnl_test.c | 11 ++++++++++-
5 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h
index 122cd10..489e76d 100644
--- a/include/libnetfilter_queue/libnetfilter_queue.h
+++ b/include/libnetfilter_queue/libnetfilter_queue.h
@@ -105,6 +105,7 @@ extern u_int32_t nfq_get_outdev(struct nfq_data *nfad);
extern u_int32_t nfq_get_physoutdev(struct nfq_data *nfad);
extern int nfq_get_uid(struct nfq_data *nfad, u_int32_t *uid);
extern int nfq_get_gid(struct nfq_data *nfad, u_int32_t *gid);
+extern int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata);
extern int nfq_get_indev_name(struct nlif_handle *nlif_handle,
struct nfq_data *nfad, char *name);
@@ -129,6 +130,7 @@ enum {
NFQ_XML_TIME = (1 << 5),
NFQ_XML_UID = (1 << 6),
NFQ_XML_GID = (1 << 7),
+ NFQ_XML_SECCTX = (1 << 8),
NFQ_XML_ALL = ~0U,
};
diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h
index f732201..479faa3 100644
--- a/include/libnetfilter_queue/linux_nfnetlink_queue.h
+++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h
@@ -52,6 +52,7 @@ enum nfqnl_attr_type {
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX,
__NFQA_MAX
};
@@ -105,7 +106,8 @@ enum nfqnl_attr_config {
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index 22f5d45..030672d 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -49,6 +49,7 @@ enum nfqnl_attr_type {
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX,
__NFQA_MAX
};
@@ -102,7 +103,8 @@ enum nfqnl_attr_config {
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 740b340..9356e3d 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -1219,6 +1219,24 @@ int nfq_get_gid(struct nfq_data *nfad, u_int32_t *gid)
EXPORT_SYMBOL(nfq_get_gid);
/**
+ * nfq_get_secctx - get the security context for this packet
+ * \param nfad Netlink packet data handle passed to callback function
+ * \param secdata data to write the security context to
+ *
+ * \return 1 if there is a security context available, 0 otherwise
+ */
+int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata)
+{
+ if (!nfnl_attr_present(nfad->data, NFQA_SECCTX))
+ return 0;
+
+ *secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data, NFQA_SECCTX, char);
+
+ return 1;
+}
+EXPORT_SYMBOL(nfq_get_secctx);
+
+/**
* nfq_get_payload - get payload
* \param nfad Netlink packet data handle passed to callback function
* \param data Pointer of pointer that will be pointed to the payload
diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c
index 2176a61..9538fee 100644
--- a/utils/nfqnl_test.c
+++ b/utils/nfqnl_test.c
@@ -17,7 +17,7 @@ static u_int32_t print_pkt (struct nfq_data *tb)
struct nfqnl_msg_packet_hw *hwph;
u_int32_t mark, ifi, uid, gid;
int ret;
- unsigned char *data;
+ unsigned char *data, *secdata;
ph = nfq_get_msg_packet_hdr(tb);
if (ph) {
@@ -61,6 +61,9 @@ static u_int32_t print_pkt (struct nfq_data *tb)
if (nfq_get_gid(tb, &gid))
printf("gid=%u ", gid);
+ if (nfq_get_secctx(tb, &secdata))
+ printf ("secctx=\"%s\" ", secdata);
+
ret = nfq_get_payload(tb, &data);
if (ret >= 0)
printf("payload_len=%d ", ret);
@@ -134,6 +137,12 @@ int main(int argc, char **argv)
"retrieve process UID/GID.\n");
}
+ printf("setting flags to request security context\n");
+ if (nfq_set_queue_flags(qh, NFQA_CFG_F_SECCTX, NFQA_CFG_F_SECCTX)) {
+ fprintf(stderr, "This kernel version does not allow to "
+ "retrieve security context.\n");
+ }
+
printf("Waiting for packets...\n");
fd = nfq_fd(h);
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] libnetfitler_queue: receive security context info
2015-05-25 10:26 [PATCH] libnetfitler_queue: receive security context info Roman Kubiak
@ 2015-05-26 13:11 ` Florian Westphal
2015-05-27 11:02 ` Roman Kubiak
0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2015-05-26 13:11 UTC (permalink / raw)
To: Roman Kubiak; +Cc: netfilter-devel
Roman Kubiak <r.kubiak@samsung.com> wrote:
> From: RomanKubiak <r.kubiak@samsung.com>
> Date: Mon, 25 May 2015 12:24:34 +0200
> Subject: [PATCH] libnetfitler_queue: receive security context info
>
> This will allow userspace to find the security context of each
> packet (if it exists) and make decisions based on that.
> It should work for SELinux and SMACK.
>
> ---
> include/libnetfilter_queue/libnetfilter_queue.h | 2 ++
> include/libnetfilter_queue/linux_nfnetlink_queue.h | 4 +++-
> include/linux/netfilter/nfnetlink_queue.h | 4 +++-
> src/libnetfilter_queue.c | 18 ++++++++++++++++++
> utils/nfqnl_test.c | 11 ++++++++++-
> 5 files changed, 36 insertions(+), 3 deletions(-)
>
> diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h
> index 122cd10..489e76d 100644
> --- a/include/libnetfilter_queue/libnetfilter_queue.h
> +++ b/include/libnetfilter_queue/libnetfilter_queue.h
> @@ -105,6 +105,7 @@ extern u_int32_t nfq_get_outdev(struct nfq_data *nfad);
> extern u_int32_t nfq_get_physoutdev(struct nfq_data *nfad);
> extern int nfq_get_uid(struct nfq_data *nfad, u_int32_t *uid);
> extern int nfq_get_gid(struct nfq_data *nfad, u_int32_t *gid);
> +extern int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata);
>
> extern int nfq_get_indev_name(struct nlif_handle *nlif_handle,
> struct nfq_data *nfad, char *name);
> @@ -129,6 +130,7 @@ enum {
> NFQ_XML_TIME = (1 << 5),
> NFQ_XML_UID = (1 << 6),
> NFQ_XML_GID = (1 << 7),
> + NFQ_XML_SECCTX = (1 << 8),
> NFQ_XML_ALL = ~0U,
> };
>
> diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h
> index f732201..479faa3 100644
> --- a/include/libnetfilter_queue/linux_nfnetlink_queue.h
> +++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h
> @@ -52,6 +52,7 @@ enum nfqnl_attr_type {
> NFQA_EXP, /* nf_conntrack_netlink.h */
> NFQA_UID, /* __u32 sk uid */
> NFQA_GID, /* __u32 sk gid */
> + NFQA_SECCTX,
>
> __NFQA_MAX
> };
> @@ -105,7 +106,8 @@ enum nfqnl_attr_config {
> #define NFQA_CFG_F_CONNTRACK (1 << 1)
> #define NFQA_CFG_F_GSO (1 << 2)
> #define NFQA_CFG_F_UID_GID (1 << 3)
> -#define NFQA_CFG_F_MAX (1 << 4)
> +#define NFQA_CFG_F_SECCTX (1 << 4)
> +#define NFQA_CFG_F_MAX (1 << 5)
>
> /* flags for NFQA_SKB_INFO */
> /* packet appears to have wrong checksums, but they are ok */
> diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
> index 22f5d45..030672d 100644
> --- a/include/linux/netfilter/nfnetlink_queue.h
> +++ b/include/linux/netfilter/nfnetlink_queue.h
> @@ -49,6 +49,7 @@ enum nfqnl_attr_type {
> NFQA_EXP, /* nf_conntrack_netlink.h */
> NFQA_UID, /* __u32 sk uid */
> NFQA_GID, /* __u32 sk gid */
> + NFQA_SECCTX,
>
> __NFQA_MAX
> };
> @@ -102,7 +103,8 @@ enum nfqnl_attr_config {
> #define NFQA_CFG_F_CONNTRACK (1 << 1)
> #define NFQA_CFG_F_GSO (1 << 2)
> #define NFQA_CFG_F_UID_GID (1 << 3)
> -#define NFQA_CFG_F_MAX (1 << 4)
> +#define NFQA_CFG_F_SECCTX (1 << 4)
> +#define NFQA_CFG_F_MAX (1 << 5)
>
> /* flags for NFQA_SKB_INFO */
> /* packet appears to have wrong checksums, but they are ok */
> diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
> index 740b340..9356e3d 100644
> --- a/src/libnetfilter_queue.c
> +++ b/src/libnetfilter_queue.c
> @@ -1219,6 +1219,24 @@ int nfq_get_gid(struct nfq_data *nfad, u_int32_t *gid)
> EXPORT_SYMBOL(nfq_get_gid);
>
> /**
> + * nfq_get_secctx - get the security context for this packet
> + * \param nfad Netlink packet data handle passed to callback function
> + * \param secdata data to write the security context to
> + *
> + * \return 1 if there is a security context available, 0 otherwise
> + */
> +int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata)
> +{
> + if (!nfnl_attr_present(nfad->data, NFQA_SECCTX))
> + return 0;
> +
> + *secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data, NFQA_SECCTX, char);
> +
> + return 1;
This should return the attr size, see nfq_get_payload() below on how to
do this.
It would be nice if you could add libmnl based version too
(src/nlmsg.c contains libmnl api of libnetfilter_queue).
The short version is that libnfnetlink has problems wrt.
extensibility/flexibility since it hides netlink details.
libmnl exposes all of the netlink data so its more flexible to add
functionality on top of libmnl than on top of libnfnetlink.
And on top of that, libnetfilter_queue libnfnetlink api exposes/leaks
implementation details of libnfnetlink so we can't replace libnfnetlink
with libmnl in the higer level libraries :-(
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] libnetfitler_queue: receive security context info
2015-05-26 13:11 ` Florian Westphal
@ 2015-05-27 11:02 ` Roman Kubiak
2015-05-27 12:52 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Roman Kubiak @ 2015-05-27 11:02 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Ok so I updated the libnetfilter_queue and the example, i'll try to get to the libmnl asap but it looks a bit more challenging.
This will allow userspace to find the security context of each
packet (if it exists) and make decisions based on that.
It should work for SELinux and SMACK.
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
---
v2:
- returning the size of security context
- updated the test program
---
include/libnetfilter_queue/libnetfilter_queue.h | 2 ++
include/libnetfilter_queue/linux_nfnetlink_queue.h | 4 +++-
include/linux/netfilter/nfnetlink_queue.h | 4 +++-
src/libnetfilter_queue.c | 21 +++++++++++++++++++++
utils/nfqnl_test.c | 12 +++++++++++-
5 files changed, 40 insertions(+), 3 deletions(-)
diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h
index 122cd10..489e76d 100644
--- a/include/libnetfilter_queue/libnetfilter_queue.h
+++ b/include/libnetfilter_queue/libnetfilter_queue.h
@@ -105,6 +105,7 @@ extern u_int32_t nfq_get_outdev(struct nfq_data *nfad);
extern u_int32_t nfq_get_physoutdev(struct nfq_data *nfad);
extern int nfq_get_uid(struct nfq_data *nfad, u_int32_t *uid);
extern int nfq_get_gid(struct nfq_data *nfad, u_int32_t *gid);
+extern int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata);
extern int nfq_get_indev_name(struct nlif_handle *nlif_handle,
struct nfq_data *nfad, char *name);
@@ -129,6 +130,7 @@ enum {
NFQ_XML_TIME = (1 << 5),
NFQ_XML_UID = (1 << 6),
NFQ_XML_GID = (1 << 7),
+ NFQ_XML_SECCTX = (1 << 8),
NFQ_XML_ALL = ~0U,
};
diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h
index f732201..479faa3 100644
--- a/include/libnetfilter_queue/linux_nfnetlink_queue.h
+++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h
@@ -52,6 +52,7 @@ enum nfqnl_attr_type {
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX,
__NFQA_MAX
};
@@ -105,7 +106,8 @@ enum nfqnl_attr_config {
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index 22f5d45..030672d 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -49,6 +49,7 @@ enum nfqnl_attr_type {
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX,
__NFQA_MAX
};
@@ -102,7 +103,8 @@ enum nfqnl_attr_config {
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 740b340..530df06 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -1219,6 +1219,27 @@ int nfq_get_gid(struct nfq_data *nfad, u_int32_t *gid)
EXPORT_SYMBOL(nfq_get_gid);
/**
+ * nfq_get_secctx - get the security context for this packet
+ * \param nfad Netlink packet data handle passed to callback function
+ * \param secdata data to write the security context to
+ *
+ * \return -1 on error, otherwise > 0
+ */
+int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata)
+{
+ if (!nfnl_attr_present(nfad->data, NFQA_SECCTX))
+ return -1;
+
+ *secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data, NFQA_SECCTX, char);
+
+ if (*secdata)
+ return NFA_PAYLOAD(nfad->data[NFQA_SECCTX-1]);
+
+ return 0;
+}
+EXPORT_SYMBOL(nfq_get_secctx);
+
+/**
* nfq_get_payload - get payload
* \param nfad Netlink packet data handle passed to callback function
* \param data Pointer of pointer that will be pointed to the payload
diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c
index 2176a61..bee325b 100644
--- a/utils/nfqnl_test.c
+++ b/utils/nfqnl_test.c
@@ -17,7 +17,7 @@ static u_int32_t print_pkt (struct nfq_data *tb)
struct nfqnl_msg_packet_hw *hwph;
u_int32_t mark, ifi, uid, gid;
int ret;
- unsigned char *data;
+ unsigned char *data, *secdata;
ph = nfq_get_msg_packet_hdr(tb);
if (ph) {
@@ -61,6 +61,10 @@ static u_int32_t print_pkt (struct nfq_data *tb)
if (nfq_get_gid(tb, &gid))
printf("gid=%u ", gid);
+ ret = nfq_get_secctx(tb, &secdata);
+ if (ret > 0)
+ printf ("secctx=\"%.*s\" ", ret, secdata);
+
ret = nfq_get_payload(tb, &data);
if (ret >= 0)
printf("payload_len=%d ", ret);
@@ -134,6 +138,12 @@ int main(int argc, char **argv)
"retrieve process UID/GID.\n");
}
+ printf("setting flags to request security context\n");
+ if (nfq_set_queue_flags(qh, NFQA_CFG_F_SECCTX, NFQA_CFG_F_SECCTX)) {
+ fprintf(stderr, "This kernel version does not allow to "
+ "retrieve security context.\n");
+ }
+
printf("Waiting for packets...\n");
fd = nfq_fd(h);
--
1.9.1
On 05/26/2015 03:11 PM, Florian Westphal wrote:
> Roman Kubiak <r.kubiak@samsung.com> wrote:
>> From: RomanKubiak <r.kubiak@samsung.com>
>> Date: Mon, 25 May 2015 12:24:34 +0200
>> Subject: [PATCH] libnetfitler_queue: receive security context info
>>
>> This will allow userspace to find the security context of each
>> packet (if it exists) and make decisions based on that.
>> It should work for SELinux and SMACK.
>>
>> ---
>> include/libnetfilter_queue/libnetfilter_queue.h | 2 ++
>> include/libnetfilter_queue/linux_nfnetlink_queue.h | 4 +++-
>> include/linux/netfilter/nfnetlink_queue.h | 4 +++-
>> src/libnetfilter_queue.c | 18 ++++++++++++++++++
>> utils/nfqnl_test.c | 11 ++++++++++-
>> 5 files changed, 36 insertions(+), 3 deletions(-)
>>
>> diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h
>> index 122cd10..489e76d 100644
>> --- a/include/libnetfilter_queue/libnetfilter_queue.h
>> +++ b/include/libnetfilter_queue/libnetfilter_queue.h
>> @@ -105,6 +105,7 @@ extern u_int32_t nfq_get_outdev(struct nfq_data *nfad);
>> extern u_int32_t nfq_get_physoutdev(struct nfq_data *nfad);
>> extern int nfq_get_uid(struct nfq_data *nfad, u_int32_t *uid);
>> extern int nfq_get_gid(struct nfq_data *nfad, u_int32_t *gid);
>> +extern int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata);
>>
>> extern int nfq_get_indev_name(struct nlif_handle *nlif_handle,
>> struct nfq_data *nfad, char *name);
>> @@ -129,6 +130,7 @@ enum {
>> NFQ_XML_TIME = (1 << 5),
>> NFQ_XML_UID = (1 << 6),
>> NFQ_XML_GID = (1 << 7),
>> + NFQ_XML_SECCTX = (1 << 8),
>> NFQ_XML_ALL = ~0U,
>> };
>>
>> diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h
>> index f732201..479faa3 100644
>> --- a/include/libnetfilter_queue/linux_nfnetlink_queue.h
>> +++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h
>> @@ -52,6 +52,7 @@ enum nfqnl_attr_type {
>> NFQA_EXP, /* nf_conntrack_netlink.h */
>> NFQA_UID, /* __u32 sk uid */
>> NFQA_GID, /* __u32 sk gid */
>> + NFQA_SECCTX,
>>
>> __NFQA_MAX
>> };
>> @@ -105,7 +106,8 @@ enum nfqnl_attr_config {
>> #define NFQA_CFG_F_CONNTRACK (1 << 1)
>> #define NFQA_CFG_F_GSO (1 << 2)
>> #define NFQA_CFG_F_UID_GID (1 << 3)
>> -#define NFQA_CFG_F_MAX (1 << 4)
>> +#define NFQA_CFG_F_SECCTX (1 << 4)
>> +#define NFQA_CFG_F_MAX (1 << 5)
>>
>> /* flags for NFQA_SKB_INFO */
>> /* packet appears to have wrong checksums, but they are ok */
>> diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
>> index 22f5d45..030672d 100644
>> --- a/include/linux/netfilter/nfnetlink_queue.h
>> +++ b/include/linux/netfilter/nfnetlink_queue.h
>> @@ -49,6 +49,7 @@ enum nfqnl_attr_type {
>> NFQA_EXP, /* nf_conntrack_netlink.h */
>> NFQA_UID, /* __u32 sk uid */
>> NFQA_GID, /* __u32 sk gid */
>> + NFQA_SECCTX,
>>
>> __NFQA_MAX
>> };
>> @@ -102,7 +103,8 @@ enum nfqnl_attr_config {
>> #define NFQA_CFG_F_CONNTRACK (1 << 1)
>> #define NFQA_CFG_F_GSO (1 << 2)
>> #define NFQA_CFG_F_UID_GID (1 << 3)
>> -#define NFQA_CFG_F_MAX (1 << 4)
>> +#define NFQA_CFG_F_SECCTX (1 << 4)
>> +#define NFQA_CFG_F_MAX (1 << 5)
>>
>> /* flags for NFQA_SKB_INFO */
>> /* packet appears to have wrong checksums, but they are ok */
>> diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
>> index 740b340..9356e3d 100644
>> --- a/src/libnetfilter_queue.c
>> +++ b/src/libnetfilter_queue.c
>> @@ -1219,6 +1219,24 @@ int nfq_get_gid(struct nfq_data *nfad, u_int32_t *gid)
>> EXPORT_SYMBOL(nfq_get_gid);
>>
>> /**
>> + * nfq_get_secctx - get the security context for this packet
>> + * \param nfad Netlink packet data handle passed to callback function
>> + * \param secdata data to write the security context to
>> + *
>> + * \return 1 if there is a security context available, 0 otherwise
>> + */
>> +int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata)
>> +{
>> + if (!nfnl_attr_present(nfad->data, NFQA_SECCTX))
>> + return 0;
>> +
>> + *secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data, NFQA_SECCTX, char);
>> +
>> + return 1;
>
> This should return the attr size, see nfq_get_payload() below on how to
> do this.
>
> It would be nice if you could add libmnl based version too
> (src/nlmsg.c contains libmnl api of libnetfilter_queue).
>
> The short version is that libnfnetlink has problems wrt.
> extensibility/flexibility since it hides netlink details.
>
> libmnl exposes all of the netlink data so its more flexible to add
> functionality on top of libmnl than on top of libnfnetlink.
>
> And on top of that, libnetfilter_queue libnfnetlink api exposes/leaks
> implementation details of libnfnetlink so we can't replace libnfnetlink
> with libmnl in the higer level libraries :-(
>
>
--
--------------
Roman Kubiak
--------------
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] libnetfitler_queue: receive security context info
2015-05-27 11:02 ` Roman Kubiak
@ 2015-05-27 12:52 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-27 12:52 UTC (permalink / raw)
To: Roman Kubiak; +Cc: Florian Westphal, netfilter-devel
On Wed, May 27, 2015 at 01:02:56PM +0200, Roman Kubiak wrote:
> Ok so I updated the libnetfilter_queue and the example, i'll try to
> get to the libmnl asap but it looks a bit more challenging.
The libmnl change is a very important part of this library, so you
have to send us a patch for that too.
Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-27 12:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-25 10:26 [PATCH] libnetfitler_queue: receive security context info Roman Kubiak
2015-05-26 13:11 ` Florian Westphal
2015-05-27 11:02 ` Roman Kubiak
2015-05-27 12:52 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).