> > [... define secmarks and port maps ...] > > chain input { > > type filter hook input priority 0; > > ct state new meta secmark set tcp dport map @secmapping_in > > ct state new ip protocol icmp meta secmark set "icmp_server" > > ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server" > > ct state new ct secmark_raw set meta secmark_raw > > ct state established,related meta secmark_raw set ct secmark_raw > > So your concern is the need for this extra secmark_raw, correct? Exactly, cause i want to store the kernel internal secid in the packet state to match it on est,rel packets. Otherwise I got "Counter expression must be constant" and other errors. > This is what your patch [6] does, right? If you don't mind to rebase > it I can have a look if I can propose you something else than this new > keyword. Attached at the end (base on 707ad229d48f2ba7920541527b755b155ddedcda) > This is the listing after you add ruleset in 1., correct? Yes > > 3. > > The patch also adds the ability to reset secmarks. > > Is there a way to query the kernel about the actual secid (to verify > > the reset works)? > > What do you mean by "reset secmarks", example please. Reseting secmarks intends to renew the association between the secmark string and the kernel internal secid. To keep it in sync after e.g. a SELinux policy reload, without restarting the whole firewall, resetting counters etc.. From c559cb37e09526e02da02724017d0f921a03a1c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 28 Oct 2019 15:12:29 +0100 Subject: [PATCH] add secmark_raw for storing secmark id in packet state --- src/ct.c | 2 ++ src/evaluate.c | 2 ++ src/meta.c | 3 +++ src/parser_bison.y | 37 +++++++++++++++++++++++++++++-------- src/rule.c | 6 ++++++ src/scanner.l | 1 + 6 files changed, 43 insertions(+), 8 deletions(-) diff --git a/src/ct.c b/src/ct.c index ed458e6..9e6a835 100644 --- a/src/ct.c +++ b/src/ct.c @@ -299,6 +299,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = { BYTEORDER_BIG_ENDIAN, 128), [NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type, BYTEORDER_BIG_ENDIAN, 128), + [NFT_CT_SECMARK] = CT_TEMPLATE("secmark", &integer_type, + BYTEORDER_HOST_ENDIAN, 32), }; static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto, diff --git a/src/evaluate.c b/src/evaluate.c index a56cd2a..1b2f5e3 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3944,8 +3944,10 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd) switch (cmd->obj) { case CMD_OBJ_COUNTER: case CMD_OBJ_QUOTA: + case CMD_OBJ_SECMARK: case CMD_OBJ_COUNTERS: case CMD_OBJ_QUOTAS: + case CMD_OBJ_SECMARKS: if (cmd->handle.table.name == NULL) return 0; if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL) diff --git a/src/meta.c b/src/meta.c index f54b818..8093d67 100644 --- a/src/meta.c +++ b/src/meta.c @@ -709,6 +709,8 @@ const struct meta_template meta_templates[] = { [NFT_META_TIME_HOUR] = META_TEMPLATE("hour", &hour_type, 4 * BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), + [NFT_META_SECMARK] = META_TEMPLATE("secmark", &integer_type, + 32, BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_unqualified(enum nft_meta_keys key) @@ -720,6 +722,7 @@ static bool meta_key_is_unqualified(enum nft_meta_keys key) case NFT_META_OIFNAME: case NFT_META_IIFGROUP: case NFT_META_OIFGROUP: + case NFT_META_SECMARK: return true; default: return false; diff --git a/src/parser_bison.y b/src/parser_bison.y index 11f0dc8..16fcea2 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -479,6 +479,7 @@ int nft_lex(void *, void *, void *); %token SECMARK "secmark" %token SECMARKS "secmarks" +%token SECMARK_RAW "secmark_raw" %token NANOSECOND "nanosecond" %token MICROSECOND "microsecond" @@ -748,7 +749,7 @@ int nft_lex(void *, void *, void *); %type meta_expr %destructor { expr_free($$); } meta_expr -%type meta_key meta_key_qualified meta_key_unqualified numgen_type +%type meta_key meta_key_qualified meta_key_unqualified meta_key_object numgen_type %type socket_expr %destructor { expr_free($$); } socket_expr @@ -1365,6 +1366,18 @@ reset_cmd : COUNTERS ruleset_spec { $$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL); } + | SECMARKS ruleset_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL); + } + | SECMARKS TABLE table_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL); + } + | SECMARK obj_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL); + } ; flush_cmd : TABLE table_spec @@ -4123,7 +4136,7 @@ meta_key_qualified : LENGTH { $$ = NFT_META_LEN; } | PROTOCOL { $$ = NFT_META_PROTOCOL; } | PRIORITY { $$ = NFT_META_PRIORITY; } | RANDOM { $$ = NFT_META_PRANDOM; } - | SECMARK { $$ = NFT_META_SECMARK; } + | SECMARK_RAW { $$ = NFT_META_SECMARK; } ; meta_key_unqualified : MARK { $$ = NFT_META_MARK; } @@ -4152,7 +4165,18 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; } | HOUR { $$ = NFT_META_TIME_HOUR; } ; +meta_key_object : SECMARK { $$ = NFT_META_SECMARK; } + ; + meta_stmt : META meta_key SET stmt_expr + { + $$ = meta_stmt_alloc(&@$, $2, $4); + } + | meta_key_unqualified SET stmt_expr + { + $$ = meta_stmt_alloc(&@$, $1, $3); + } + | META meta_key_object SET stmt_expr { switch ($2) { case NFT_META_SECMARK: @@ -4161,14 +4185,10 @@ meta_stmt : META meta_key SET stmt_expr $$->objref.expr = $4; break; default: - $$ = meta_stmt_alloc(&@$, $2, $4); - break; + erec_queue(error(&@2, "invalid meta object name '%s'\n", $2), state->msgs); + YYERROR; } } - | meta_key_unqualified SET stmt_expr - { - $$ = meta_stmt_alloc(&@$, $1, $3); - } | META STRING SET stmt_expr { struct error_record *erec; @@ -4354,6 +4374,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; } | PROTO_DST { $$ = NFT_CT_PROTO_DST; } | LABEL { $$ = NFT_CT_LABELS; } | EVENT { $$ = NFT_CT_EVENTMASK; } + | SECMARK_RAW { $$ = NFT_CT_SECMARK; } | ct_key_dir_optional ; diff --git a/src/rule.c b/src/rule.c index 64756bc..dbbec5e 100644 --- a/src/rule.c +++ b/src/rule.c @@ -2454,6 +2454,12 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_QUOTA: type = NFT_OBJECT_QUOTA; break; + case CMD_OBJ_SECMARKS: + dump = true; + /* fall through */ + case CMD_OBJ_SECMARK: + type = NFT_OBJECT_SECMARK; + break; default: BUG("invalid command object type %u\n", cmd->obj); } diff --git a/src/scanner.l b/src/scanner.l index 3de5a9e..feaa691 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -591,6 +591,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "secmark" { return SECMARK; } "secmarks" { return SECMARKS; } +"secmark_raw" { return SECMARK_RAW; } {addrstring} { yylval->string = xstrdup(yytext); -- 2.24.0.rc1