On Fri, Jun 12, 2015 at 12:32:57PM +0200, Roman Kubiak wrote: > This way works and seems sensible (i tested it) > > a fixed patch below > > -- cut here > > This patch adds an additional attribute when sending > packet information via netlink in netfilter_queue module. > It will send additional security context data, so that > userspace applications can verify this context against > their own security databases. > > Signed-off-by: Roman Kubiak <r.kubiak@xxxxxxxxxxx> > --- > v2: > - nfqnl_get_sk_secctx returns seclen now, this changes > - updated size calculation > - changed NFQA_SECCTX comment > - removed duplicate testing of NFQA_CFG_F flags > > v3: > - NULL is not added to the security context anymore > - return 0 when socket is invalid in nfqnl_get_sk_secctx > - small intent change > - removed ret variable in nfqnl_get_sk_secctx > > v4: > - removed security dependency, this patch does not > require any changes in other subsystems > - nfqnl_get_sk_secctx returns seclen > - added IFDEF when using secmark from the sk_buff > structure > > v5: > - added a check to disable security context sending > if CONFIG_NETWORK_SECMARK is not set > > v6: > - changed the way flags and mask are checked in > nfqnl_recv_config Applied this v6. Thank you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
