diff options
| -rw-r--r-- | include/linux/netfilter/nfnetlink_conntrack.h | 10 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 46 |
2 files changed, 45 insertions, 11 deletions
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index 9ed534c991b9..70cd0603911c 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
| @@ -39,8 +39,9 @@ enum ctattr_type { | |||
| 39 | CTA_TUPLE_MASTER, | 39 | CTA_TUPLE_MASTER, |
| 40 | CTA_NAT_SEQ_ADJ_ORIG, | 40 | CTA_NAT_SEQ_ADJ_ORIG, |
| 41 | CTA_NAT_SEQ_ADJ_REPLY, | 41 | CTA_NAT_SEQ_ADJ_REPLY, |
| 42 | CTA_SECMARK, | 42 | CTA_SECMARK, /* obsolete */ |
| 43 | CTA_ZONE, | 43 | CTA_ZONE, |
| 44 | CTA_SECCTX, | ||
| 44 | __CTA_MAX | 45 | __CTA_MAX |
| 45 | }; | 46 | }; |
| 46 | #define CTA_MAX (__CTA_MAX - 1) | 47 | #define CTA_MAX (__CTA_MAX - 1) |
| @@ -172,4 +173,11 @@ enum ctattr_help { | |||
| 172 | }; | 173 | }; |
| 173 | #define CTA_HELP_MAX (__CTA_HELP_MAX - 1) | 174 | #define CTA_HELP_MAX (__CTA_HELP_MAX - 1) |
| 174 | 175 | ||
| 176 | enum ctattr_secctx { | ||
| 177 | CTA_SECCTX_UNSPEC, | ||
| 178 | CTA_SECCTX_NAME, | ||
| 179 | __CTA_SECCTX_MAX | ||
| 180 | }; | ||
| 181 | #define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1) | ||
| 182 | |||
| 175 | #endif /* _IPCONNTRACK_NETLINK_H */ | 183 | #endif /* _IPCONNTRACK_NETLINK_H */ |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 5bae1cd15eea..b3c628555cf3 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -22,6 +22,7 @@ | |||
| 22 | #include <linux/rculist_nulls.h> | 22 | #include <linux/rculist_nulls.h> |
| 23 | #include <linux/types.h> | 23 | #include <linux/types.h> |
| 24 | #include <linux/timer.h> | 24 | #include <linux/timer.h> |
| 25 | #include <linux/security.h> | ||
| 25 | #include <linux/skbuff.h> | 26 | #include <linux/skbuff.h> |
| 26 | #include <linux/errno.h> | 27 | #include <linux/errno.h> |
| 27 | #include <linux/netlink.h> | 28 | #include <linux/netlink.h> |
| @@ -245,16 +246,31 @@ nla_put_failure: | |||
| 245 | 246 | ||
| 246 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 247 | #ifdef CONFIG_NF_CONNTRACK_SECMARK |
| 247 | static inline int | 248 | static inline int |
| 248 | ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct) | 249 | ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) |
| 249 | { | 250 | { |
| 250 | NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark)); | 251 | struct nlattr *nest_secctx; |
| 251 | return 0; | 252 | int len, ret; |
| 253 | char *secctx; | ||
| 254 | |||
| 255 | ret = security_secid_to_secctx(ct->secmark, &secctx, &len); | ||
| 256 | if (ret) | ||
| 257 | return ret; | ||
| 258 | |||
| 259 | ret = -1; | ||
| 260 | nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED); | ||
| 261 | if (!nest_secctx) | ||
| 262 | goto nla_put_failure; | ||
| 252 | 263 | ||
| 264 | NLA_PUT_STRING(skb, CTA_SECCTX_NAME, secctx); | ||
| 265 | nla_nest_end(skb, nest_secctx); | ||
| 266 | |||
| 267 | ret = 0; | ||
| 253 | nla_put_failure: | 268 | nla_put_failure: |
| 254 | return -1; | 269 | security_release_secctx(secctx, len); |
| 270 | return ret; | ||
| 255 | } | 271 | } |
| 256 | #else | 272 | #else |
| 257 | #define ctnetlink_dump_secmark(a, b) (0) | 273 | #define ctnetlink_dump_secctx(a, b) (0) |
| 258 | #endif | 274 | #endif |
| 259 | 275 | ||
| 260 | #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) | 276 | #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) |
| @@ -391,7 +407,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, | |||
| 391 | ctnetlink_dump_protoinfo(skb, ct) < 0 || | 407 | ctnetlink_dump_protoinfo(skb, ct) < 0 || |
| 392 | ctnetlink_dump_helpinfo(skb, ct) < 0 || | 408 | ctnetlink_dump_helpinfo(skb, ct) < 0 || |
| 393 | ctnetlink_dump_mark(skb, ct) < 0 || | 409 | ctnetlink_dump_mark(skb, ct) < 0 || |
| 394 | ctnetlink_dump_secmark(skb, ct) < 0 || | 410 | ctnetlink_dump_secctx(skb, ct) < 0 || |
| 395 | ctnetlink_dump_id(skb, ct) < 0 || | 411 | ctnetlink_dump_id(skb, ct) < 0 || |
| 396 | ctnetlink_dump_use(skb, ct) < 0 || | 412 | ctnetlink_dump_use(skb, ct) < 0 || |
| 397 | ctnetlink_dump_master(skb, ct) < 0 || | 413 | ctnetlink_dump_master(skb, ct) < 0 || |
| @@ -437,6 +453,17 @@ ctnetlink_counters_size(const struct nf_conn *ct) | |||
| 437 | ; | 453 | ; |
| 438 | } | 454 | } |
| 439 | 455 | ||
| 456 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 457 | static int ctnetlink_nlmsg_secctx_size(const struct nf_conn *ct) | ||
| 458 | { | ||
| 459 | int len; | ||
| 460 | |||
| 461 | security_secid_to_secctx(ct->secmark, NULL, &len); | ||
| 462 | |||
| 463 | return sizeof(char) * len; | ||
| 464 | } | ||
| 465 | #endif | ||
| 466 | |||
| 440 | static inline size_t | 467 | static inline size_t |
| 441 | ctnetlink_nlmsg_size(const struct nf_conn *ct) | 468 | ctnetlink_nlmsg_size(const struct nf_conn *ct) |
| 442 | { | 469 | { |
| @@ -453,7 +480,8 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct) | |||
| 453 | + nla_total_size(0) /* CTA_HELP */ | 480 | + nla_total_size(0) /* CTA_HELP */ |
| 454 | + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ | 481 | + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ |
| 455 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 482 | #ifdef CONFIG_NF_CONNTRACK_SECMARK |
| 456 | + nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */ | 483 | + nla_total_size(0) /* CTA_SECCTX */ |
| 484 | + nla_total_size(ctnetlink_nlmsg_secctx_size(ct)) /* CTA_SECCTX_NAME */ | ||
| 457 | #endif | 485 | #endif |
| 458 | #ifdef CONFIG_NF_NAT_NEEDED | 486 | #ifdef CONFIG_NF_NAT_NEEDED |
| 459 | + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ | 487 | + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ |
| @@ -554,11 +582,9 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) | |||
| 554 | && ctnetlink_dump_helpinfo(skb, ct) < 0) | 582 | && ctnetlink_dump_helpinfo(skb, ct) < 0) |
| 555 | goto nla_put_failure; | 583 | goto nla_put_failure; |
| 556 | 584 | ||
| 557 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 558 | if ((events & (1 << IPCT_SECMARK) || ct->secmark) | 585 | if ((events & (1 << IPCT_SECMARK) || ct->secmark) |
| 559 | && ctnetlink_dump_secmark(skb, ct) < 0) | 586 | && ctnetlink_dump_secctx(skb, ct) < 0) |
| 560 | goto nla_put_failure; | 587 | goto nla_put_failure; |
| 561 | #endif | ||
| 562 | 588 | ||
| 563 | if (events & (1 << IPCT_RELATED) && | 589 | if (events & (1 << IPCT_RELATED) && |
| 564 | ctnetlink_dump_master(skb, ct) < 0) | 590 | ctnetlink_dump_master(skb, ct) < 0) |