Roman Kubiak <r.kubiak@xxxxxxxxxxx> wrote:
> diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
> index 8dd819e..b67a853 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_queue.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
> @@ -49,6 +49,7 @@ enum nfqnl_attr_type {
> NFQA_EXP, /* nf_conntrack_netlink.h */
> NFQA_UID, /* __u32 sk uid */
> NFQA_GID, /* __u32 sk gid */
> + NFQA_SECCTX, /* security context string */
>
> __NFQA_MAX
> };
> @@ -102,7 +103,8 @@ enum nfqnl_attr_config {
> #define NFQA_CFG_F_CONNTRACK (1 << 1)
> #define NFQA_CFG_F_GSO (1 << 2)
> #define NFQA_CFG_F_UID_GID (1 << 3)
> -#define NFQA_CFG_F_MAX (1 << 4)
> +#define NFQA_CFG_F_SECCTX (1 << 4)
> +#define NFQA_CFG_F_MAX (1 << 5)
>
> /* flags for NFQA_SKB_INFO */
> /* packet appears to have wrong checksums, but they are ok */
> diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
> index 0b98c74..2c35112 100644
> --- a/net/netfilter/nfnetlink_queue_core.c
> +++ b/net/netfilter/nfnetlink_queue_core.c
> @@ -278,6 +278,24 @@ nla_put_failure:
> return -1;
> }
>
> +static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
> +{
> + u32 seclen = 0;
place
#if IS_ENABLED(CONFIG_NETWORK_SECMARK)
here?
I also think it makes sense to reject NFQA_CFG_F_SECCTX config flag in
nfqnl_recv_config() when IS_ENABLED(CONFIG_NETWORK_SECMARK) is not set;
i'd suggest to return EOPNOTSUPP in that case.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
