From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: netfilter@vger.kernel.org,
Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-owner@vger.kernel.org
Subject: Re: decipher the secmark number from nf_conntrack/ip_conntrack
Date: Mon, 20 Sep 2010 13:42:19 +0100 [thread overview]
Message-ID: <4C9756AB.5040304@googlemail.com> (raw)
In-Reply-To: <alpine.LNX.2.01.1009201421180.13430@obet.zrqbmnf.qr>
> Basically `conntrack -L`. You just need to write the patch that
> does the secmark->name translation. :-)
>
Actually, I've got a better idea!
I spend good part of the last hour looking at the source of iptables
(v1.4.7 as this is what comes out of my FC13 as the 'latest' rpm) and
found this little nugget:
=====<xt_SECMARK.h>=================
struct xt_secmark_target_selinux_info {
__u32 selsid;
char selctx[SECMARK_SELCTX_MAX];
};
===================================
=====<libxt_SECMARK.c>===============
static void print_secmark(const struct xt_secmark_target_info *info)
{
switch (info->mode) {
case SECMARK_MODE_SEL:
printf("selctx %s ", info->u.sel.selctx);\
break;
default:
xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
}
}
static void SECMARK_print(const void *ip, const struct xt_entry_target
*target,
int numeric)
{
const struct xt_secmark_target_info *info =
(struct xt_secmark_target_info*)(target)->data;
printf("SECMARK ");
print_secmark(info);
}
===================================
The output of SECMARK_print is seen when I list the mangle table with
iptables ('iptables -t mangle -L -n' for example) and there is the
SELinux context in full view as I originally registered the rule match
with. So, if I am to kindly ask the devs maintaining the iptables code
to change the above function to include the following line:
printf("selctx %s [%u]", info->u.sel.selctx,info->u.sel.selsid);\
instead of:
printf("selctx %s ", info->u.sel.selctx);\
I would, at least, have an idea of what SELinux contexts maps to which
number (I am assuming that 'selsid' is the actual number printed in the
'secmark=XXX' - I haven't gone that far in the code yet to verify this!).
Ideally, I would *love* to have a separate branch in, say
'/proc/net/selctx', listing all registered contexts with
iptables/netfilter together with their numbers (basically a printout of
the whole xt_secmark_target_selinux_info struct as defined above).
That would not be too much to ask now, would it? :-)
next prev parent reply other threads:[~2010-09-20 12:42 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-19 23:04 decipher the secmark number from nf_conntrack/ip_conntrack Mr Dash Four
2010-09-20 0:48 ` Jan Engelhardt
2010-09-20 10:41 ` Mr Dash Four
2010-09-20 12:23 ` Jan Engelhardt
2010-09-20 12:42 ` Mr Dash Four [this message]
2010-09-20 18:15 ` Mr Dash Four
2010-09-20 21:49 ` Tom Eastep
2010-09-20 23:26 ` Jan Engelhardt
2010-09-20 23:55 ` Tom Eastep
2010-09-21 9:59 ` Mr Dash Four
2010-09-21 20:13 ` Mr Dash Four
2010-09-21 20:26 ` Eric Paris
2010-09-21 21:00 ` Eric Paris
2010-09-21 22:38 ` Mr Dash Four
2010-09-21 22:42 ` Jan Engelhardt
2010-09-21 22:51 ` Mr Dash Four
2010-09-21 23:10 ` Eric Paris
2010-09-21 23:35 ` Jan Engelhardt
2010-09-23 18:39 ` Eric Paris
2010-09-23 18:49 ` Jan Engelhardt
2010-09-23 18:52 ` Eric Paris
2010-09-23 18:57 ` Jan Engelhardt
2010-09-23 18:58 ` Eric Paris
2010-09-23 19:20 ` Mr Dash Four
2010-09-23 19:51 ` Jan Engelhardt
2010-09-23 20:05 ` Mr Dash Four
2010-09-23 20:18 ` Mr Dash Four
2010-09-23 20:34 ` Eric Paris
2010-09-23 20:38 ` Mr Dash Four
2010-09-23 20:53 ` Jan Engelhardt
2010-09-23 20:56 ` Mr Dash Four
2010-09-23 21:23 ` Jan Engelhardt
2010-09-23 21:38 ` Mr Dash Four
2010-09-23 22:12 ` Jan Engelhardt
2010-09-23 22:30 ` Mr Dash Four
2010-09-23 22:42 ` Eric Paris
2010-09-23 23:59 ` Jan Engelhardt
2010-09-24 0:24 ` Tom Eastep
2010-09-24 0:32 ` Mr Dash Four
2010-09-24 1:18 ` Jan Engelhardt
2010-09-24 0:27 ` Mr Dash Four
2010-09-23 20:42 ` Jan Engelhardt
2010-09-23 20:53 ` Mr Dash Four
2010-09-21 22:29 ` Mr Dash Four
2010-09-22 2:25 ` Tom Eastep
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C9756AB.5040304@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=jengelh@medozas.de \
--cc=netfilter-owner@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox