From: "Christian Göttsche" <cgzones@googlemail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: nftables: secmark support
Date: Mon, 28 Oct 2019 15:27:07 +0100 [thread overview]
Message-ID: <CAJ2a_DdVOTDPpamh=DKcGde_8gp++xYPwBP=0gY3_GDqPFntrQ@mail.gmail.com> (raw)
In-Reply-To: <20191022173411.zh3o2wnoqxpjhjkq@salvia>
[-- Attachment #1: Type: text/plain, Size: 8425 bytes --]
> > [... define secmarks and port maps ...]
> > chain input {
> > type filter hook input priority 0;
> > ct state new meta secmark set tcp dport map @secmapping_in
> > ct state new ip protocol icmp meta secmark set "icmp_server"
> > ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server"
> > ct state new ct secmark_raw set meta secmark_raw
> > ct state established,related meta secmark_raw set ct secmark_raw
>
> So your concern is the need for this extra secmark_raw, correct?
Exactly, cause i want to store the kernel internal secid in the packet
state to match it on est,rel packets.
Otherwise I got "Counter expression must be constant" and other errors.
> This is what your patch [6] does, right? If you don't mind to rebase
> it I can have a look if I can propose you something else than this new
> keyword.
Attached at the end (base on 707ad229d48f2ba7920541527b755b155ddedcda)
> This is the listing after you add ruleset in 1., correct?
Yes
> > 3.
> > The patch also adds the ability to reset secmarks.
> > Is there a way to query the kernel about the actual secid (to verify
> > the reset works)?
>
> What do you mean by "reset secmarks", example please.
Reseting secmarks intends to renew the association between the secmark
string and the kernel internal secid.
To keep it in sync after e.g. a SELinux policy reload, without
restarting the whole firewall, resetting counters etc..
From c559cb37e09526e02da02724017d0f921a03a1c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 28 Oct 2019 15:12:29 +0100
Subject: [PATCH] add secmark_raw for storing secmark id in packet state
---
src/ct.c | 2 ++
src/evaluate.c | 2 ++
src/meta.c | 3 +++
src/parser_bison.y | 37 +++++++++++++++++++++++++++++--------
src/rule.c | 6 ++++++
src/scanner.l | 1 +
6 files changed, 43 insertions(+), 8 deletions(-)
diff --git a/src/ct.c b/src/ct.c
index ed458e6..9e6a835 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -299,6 +299,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
BYTEORDER_BIG_ENDIAN, 128),
[NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type,
BYTEORDER_BIG_ENDIAN, 128),
+ [NFT_CT_SECMARK] = CT_TEMPLATE("secmark", &integer_type,
+ BYTEORDER_HOST_ENDIAN, 32),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/evaluate.c b/src/evaluate.c
index a56cd2a..1b2f5e3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3944,8 +3944,10 @@ static int cmd_evaluate_reset(struct eval_ctx
*ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
+ case CMD_OBJ_SECMARK:
case CMD_OBJ_COUNTERS:
case CMD_OBJ_QUOTAS:
+ case CMD_OBJ_SECMARKS:
if (cmd->handle.table.name == NULL)
return 0;
if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
diff --git a/src/meta.c b/src/meta.c
index f54b818..8093d67 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -709,6 +709,8 @@ const struct meta_template meta_templates[] = {
[NFT_META_TIME_HOUR] = META_TEMPLATE("hour", &hour_type,
4 * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+ [NFT_META_SECMARK] = META_TEMPLATE("secmark", &integer_type,
+ 32, BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_unqualified(enum nft_meta_keys key)
@@ -720,6 +722,7 @@ static bool meta_key_is_unqualified(enum nft_meta_keys key)
case NFT_META_OIFNAME:
case NFT_META_IIFGROUP:
case NFT_META_OIFGROUP:
+ case NFT_META_SECMARK:
return true;
default:
return false;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 11f0dc8..16fcea2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -479,6 +479,7 @@ int nft_lex(void *, void *, void *);
%token SECMARK "secmark"
%token SECMARKS "secmarks"
+%token SECMARK_RAW "secmark_raw"
%token NANOSECOND "nanosecond"
%token MICROSECOND "microsecond"
@@ -748,7 +749,7 @@ int nft_lex(void *, void *, void *);
%type <expr> meta_expr
%destructor { expr_free($$); } meta_expr
-%type <val> meta_key meta_key_qualified
meta_key_unqualified numgen_type
+%type <val> meta_key meta_key_qualified
meta_key_unqualified meta_key_object numgen_type
%type <expr> socket_expr
%destructor { expr_free($$); } socket_expr
@@ -1365,6 +1366,18 @@ reset_cmd : COUNTERS ruleset_spec
{
$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
+ | SECMARKS ruleset_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL);
+ }
+ | SECMARKS TABLE table_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
+ }
+ | SECMARK obj_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+ }
;
flush_cmd : TABLE table_spec
@@ -4123,7 +4136,7 @@ meta_key_qualified : LENGTH { $$ =
NFT_META_LEN; }
| PROTOCOL { $$ = NFT_META_PROTOCOL; }
| PRIORITY { $$ = NFT_META_PRIORITY; }
| RANDOM { $$ = NFT_META_PRANDOM; }
- | SECMARK { $$ = NFT_META_SECMARK; }
+ | SECMARK_RAW { $$ = NFT_META_SECMARK; }
;
meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
@@ -4152,7 +4165,18 @@ meta_key_unqualified : MARK { $$ =
NFT_META_MARK; }
| HOUR { $$ = NFT_META_TIME_HOUR; }
;
+meta_key_object : SECMARK { $$ = NFT_META_SECMARK; }
+ ;
+
meta_stmt : META meta_key SET stmt_expr
+ {
+ $$ = meta_stmt_alloc(&@$, $2, $4);
+ }
+ | meta_key_unqualified SET stmt_expr
+ {
+ $$ = meta_stmt_alloc(&@$, $1, $3);
+ }
+ | META meta_key_object SET stmt_expr
{
switch ($2) {
case NFT_META_SECMARK:
@@ -4161,14 +4185,10 @@ meta_stmt : META meta_key SET
stmt_expr
$$->objref.expr = $4;
break;
default:
- $$ = meta_stmt_alloc(&@$, $2, $4);
- break;
+ erec_queue(error(&@2, "invalid meta object name
'%s'\n", $2), state->msgs);
+ YYERROR;
}
}
- | meta_key_unqualified SET stmt_expr
- {
- $$ = meta_stmt_alloc(&@$, $1, $3);
- }
| META STRING SET stmt_expr
{
struct error_record *erec;
@@ -4354,6 +4374,7 @@ ct_key : L3PROTOCOL { $$ =
NFT_CT_L3PROTOCOL; }
| PROTO_DST { $$ = NFT_CT_PROTO_DST; }
| LABEL { $$ = NFT_CT_LABELS; }
| EVENT { $$ = NFT_CT_EVENTMASK; }
+ | SECMARK_RAW { $$ = NFT_CT_SECMARK; }
| ct_key_dir_optional
;
diff --git a/src/rule.c b/src/rule.c
index 64756bc..dbbec5e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2454,6 +2454,12 @@ static int do_command_reset(struct netlink_ctx
*ctx, struct cmd *cmd)
case CMD_OBJ_QUOTA:
type = NFT_OBJECT_QUOTA;
break;
+ case CMD_OBJ_SECMARKS:
+ dump = true;
+ /* fall through */
+ case CMD_OBJ_SECMARK:
+ type = NFT_OBJECT_SECMARK;
+ break;
default:
BUG("invalid command object type %u\n", cmd->obj);
}
diff --git a/src/scanner.l b/src/scanner.l
index 3de5a9e..feaa691 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -591,6 +591,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"secmark" { return SECMARK; }
"secmarks" { return SECMARKS; }
+"secmark_raw" { return SECMARK_RAW; }
{addrstring} {
yylval->string = xstrdup(yytext);
--
2.24.0.rc1
[-- Attachment #2: 0001-add-secmark_raw-for-storing-secmark-id-in-packet-sta.patch --]
[-- Type: text/x-patch, Size: 5736 bytes --]
From c559cb37e09526e02da02724017d0f921a03a1c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 28 Oct 2019 15:12:29 +0100
Subject: [PATCH] add secmark_raw for storing secmark id in packet state
---
src/ct.c | 2 ++
src/evaluate.c | 2 ++
src/meta.c | 3 +++
src/parser_bison.y | 37 +++++++++++++++++++++++++++++--------
src/rule.c | 6 ++++++
src/scanner.l | 1 +
6 files changed, 43 insertions(+), 8 deletions(-)
diff --git a/src/ct.c b/src/ct.c
index ed458e6..9e6a835 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -299,6 +299,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
BYTEORDER_BIG_ENDIAN, 128),
[NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type,
BYTEORDER_BIG_ENDIAN, 128),
+ [NFT_CT_SECMARK] = CT_TEMPLATE("secmark", &integer_type,
+ BYTEORDER_HOST_ENDIAN, 32),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/evaluate.c b/src/evaluate.c
index a56cd2a..1b2f5e3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3944,8 +3944,10 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
+ case CMD_OBJ_SECMARK:
case CMD_OBJ_COUNTERS:
case CMD_OBJ_QUOTAS:
+ case CMD_OBJ_SECMARKS:
if (cmd->handle.table.name == NULL)
return 0;
if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
diff --git a/src/meta.c b/src/meta.c
index f54b818..8093d67 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -709,6 +709,8 @@ const struct meta_template meta_templates[] = {
[NFT_META_TIME_HOUR] = META_TEMPLATE("hour", &hour_type,
4 * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+ [NFT_META_SECMARK] = META_TEMPLATE("secmark", &integer_type,
+ 32, BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_unqualified(enum nft_meta_keys key)
@@ -720,6 +722,7 @@ static bool meta_key_is_unqualified(enum nft_meta_keys key)
case NFT_META_OIFNAME:
case NFT_META_IIFGROUP:
case NFT_META_OIFGROUP:
+ case NFT_META_SECMARK:
return true;
default:
return false;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 11f0dc8..16fcea2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -479,6 +479,7 @@ int nft_lex(void *, void *, void *);
%token SECMARK "secmark"
%token SECMARKS "secmarks"
+%token SECMARK_RAW "secmark_raw"
%token NANOSECOND "nanosecond"
%token MICROSECOND "microsecond"
@@ -748,7 +749,7 @@ int nft_lex(void *, void *, void *);
%type <expr> meta_expr
%destructor { expr_free($$); } meta_expr
-%type <val> meta_key meta_key_qualified meta_key_unqualified numgen_type
+%type <val> meta_key meta_key_qualified meta_key_unqualified meta_key_object numgen_type
%type <expr> socket_expr
%destructor { expr_free($$); } socket_expr
@@ -1365,6 +1366,18 @@ reset_cmd : COUNTERS ruleset_spec
{
$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
+ | SECMARKS ruleset_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL);
+ }
+ | SECMARKS TABLE table_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
+ }
+ | SECMARK obj_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+ }
;
flush_cmd : TABLE table_spec
@@ -4123,7 +4136,7 @@ meta_key_qualified : LENGTH { $$ = NFT_META_LEN; }
| PROTOCOL { $$ = NFT_META_PROTOCOL; }
| PRIORITY { $$ = NFT_META_PRIORITY; }
| RANDOM { $$ = NFT_META_PRANDOM; }
- | SECMARK { $$ = NFT_META_SECMARK; }
+ | SECMARK_RAW { $$ = NFT_META_SECMARK; }
;
meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
@@ -4152,7 +4165,18 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
| HOUR { $$ = NFT_META_TIME_HOUR; }
;
+meta_key_object : SECMARK { $$ = NFT_META_SECMARK; }
+ ;
+
meta_stmt : META meta_key SET stmt_expr
+ {
+ $$ = meta_stmt_alloc(&@$, $2, $4);
+ }
+ | meta_key_unqualified SET stmt_expr
+ {
+ $$ = meta_stmt_alloc(&@$, $1, $3);
+ }
+ | META meta_key_object SET stmt_expr
{
switch ($2) {
case NFT_META_SECMARK:
@@ -4161,14 +4185,10 @@ meta_stmt : META meta_key SET stmt_expr
$$->objref.expr = $4;
break;
default:
- $$ = meta_stmt_alloc(&@$, $2, $4);
- break;
+ erec_queue(error(&@2, "invalid meta object name '%s'\n", $2), state->msgs);
+ YYERROR;
}
}
- | meta_key_unqualified SET stmt_expr
- {
- $$ = meta_stmt_alloc(&@$, $1, $3);
- }
| META STRING SET stmt_expr
{
struct error_record *erec;
@@ -4354,6 +4374,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; }
| PROTO_DST { $$ = NFT_CT_PROTO_DST; }
| LABEL { $$ = NFT_CT_LABELS; }
| EVENT { $$ = NFT_CT_EVENTMASK; }
+ | SECMARK_RAW { $$ = NFT_CT_SECMARK; }
| ct_key_dir_optional
;
diff --git a/src/rule.c b/src/rule.c
index 64756bc..dbbec5e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2454,6 +2454,12 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_QUOTA:
type = NFT_OBJECT_QUOTA;
break;
+ case CMD_OBJ_SECMARKS:
+ dump = true;
+ /* fall through */
+ case CMD_OBJ_SECMARK:
+ type = NFT_OBJECT_SECMARK;
+ break;
default:
BUG("invalid command object type %u\n", cmd->obj);
}
diff --git a/src/scanner.l b/src/scanner.l
index 3de5a9e..feaa691 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -591,6 +591,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"secmark" { return SECMARK; }
"secmarks" { return SECMARKS; }
+"secmark_raw" { return SECMARK_RAW; }
{addrstring} {
yylval->string = xstrdup(yytext);
--
2.24.0.rc1
next prev parent reply other threads:[~2019-10-28 14:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-22 15:57 nftables: secmark support Christian Göttsche
2019-10-22 17:34 ` Pablo Neira Ayuso
2019-10-28 14:27 ` Christian Göttsche [this message]
2019-11-18 16:44 ` Christian Göttsche
2019-11-18 18:18 ` Pablo Neira Ayuso
2019-11-18 18:30 ` Pablo Neira Ayuso
2019-11-19 19:02 ` Christian Göttsche
2019-11-19 19:40 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ2a_DdVOTDPpamh=DKcGde_8gp++xYPwBP=0gY3_GDqPFntrQ@mail.gmail.com' \
--to=cgzones@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.