Hi,
I am a SELinux user and like to see SECMARK support in nftables, to be
able to confine network operations [1][2].
Is there currently some effort in adding support for this?
Best regards,
Christian Göttsche
[1] https://paulmoore.livejournal.com/4281.html
[2] https://selinuxproject.org/page/NB_Networking
p.s.: I tried the simple following patch, but nftables aborts with
"malloc(): memory corruption":
---
include/datatype.h | 2 ++
include/meta.h | 1 +
src/datatype.c | 1 +
src/meta.c | 12 ++++++++++++
src/parser_bison.y | 2 ++
src/scanner.l | 1 +
6 files changed, 19 insertions(+)
diff --git a/include/datatype.h b/include/datatype.h
index b641f0e..5d4ec26 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -44,6 +44,7 @@
* @TYPE_DEVGROUP: devgroup code (integer subtype)
* @TYPE_DSCP: Differentiated Services Code Point (integer subtype)
* @TYPE_IFNAME: interface name (string subtype)
+ * @TYPE_SECMARK: packet security context (string subtype)
*/
enum datatypes {
TYPE_INVALID,
@@ -88,6 +89,7 @@ enum datatypes {
TYPE_BOOLEAN,
TYPE_CT_EVENTBIT,
TYPE_IFNAME,
+ TYPE_SECMARK,
__TYPE_MAX
};
#define TYPE_MAX (__TYPE_MAX - 1)
diff --git a/include/meta.h b/include/meta.h
index a49b4ff..6877af6 100644
--- a/include/meta.h
+++ b/include/meta.h
@@ -41,6 +41,7 @@ extern const struct datatype uid_type;
extern const struct datatype devgroup_type;
extern const struct datatype pkttype_type;
extern const struct datatype ifname_type;
+extern const struct datatype secmark_type;
extern struct symbol_table *devgroup_tbl;
diff --git a/src/datatype.c b/src/datatype.c
index c77d228..55ad3cb 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -70,6 +70,7 @@ static const struct datatype *datatypes[TYPE_MAX + 1] = {
[TYPE_FIB_ADDR] = &fib_addr_type,
[TYPE_BOOLEAN] = &boolean_type,
[TYPE_IFNAME] = &ifname_type,
+ [TYPE_SECMARK] = &secmark_type,
};
const struct datatype *datatype_lookup(enum datatypes type)
diff --git a/src/meta.c b/src/meta.c
index ff0cb12..b858f66 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -383,6 +383,15 @@ const struct datatype ifname_type = {
.basetype = &string_type,
};
+const struct datatype secmark_type = {
+ .type = TYPE_SECMARK,
+ .name = "secmark",
+ .desc = "packet security context",
+ .byteorder = BYTEORDER_HOST_ENDIAN,
+ .size = 256 * BITS_PER_BYTE,
+ .basetype = &string_type,
+};
+
const struct meta_template meta_templates[] = {
[NFT_META_LEN] = META_TEMPLATE("length", &integer_type,
4 * 8, BYTEORDER_HOST_ENDIAN),
@@ -418,6 +427,9 @@ const struct meta_template meta_templates[] = {
1 , BYTEORDER_HOST_ENDIAN),
[NFT_META_RTCLASSID] = META_TEMPLATE("rtclassid", &realm_type,
4 * 8, BYTEORDER_HOST_ENDIAN),
+ [NFT_META_SECMARK] = META_TEMPLATE("secmark", &secmark_type,
+ 256 * BITS_PER_BYTE,
+ BYTEORDER_HOST_ENDIAN),
[NFT_META_BRI_IIFNAME] = META_TEMPLATE("ibrname", &ifname_type,
IFNAMSIZ * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 33915ed..1039faf 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -394,6 +394,7 @@ int nft_lex(void *, void *, void *);
%token SKGID "skgid"
%token NFTRACE "nftrace"
%token RTCLASSID "rtclassid"
+%token SECMARK "secmark"
%token IBRIPORT "ibriport"
%token OBRIPORT "obriport"
%token IBRIDGENAME "ibrname"
@@ -3523,6 +3524,7 @@ meta_key_unqualified : MARK { $$ =
NFT_META_MARK; }
| SKGID { $$ = NFT_META_SKGID; }
| NFTRACE { $$ = NFT_META_NFTRACE; }
| RTCLASSID { $$ = NFT_META_RTCLASSID; }
+ | SECMARK { $$ = NFT_META_SECMARK; }
| IBRIPORT { $$ = NFT_META_BRI_IIFNAME; }
| OBRIPORT { $$ = NFT_META_BRI_OIFNAME; }
| IBRIDGENAME { $$ = NFT_META_BRI_IIFNAME; }
diff --git a/src/scanner.l b/src/scanner.l
index 416bd27..150fd34 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -490,6 +490,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"skgid" { return SKGID; }
"nftrace" { return NFTRACE; }
"rtclassid" { return RTCLASSID; }
+"secmark" { return SECMARK; }
"ibriport" { return IBRIPORT; }
"ibrname" { return IBRIDGENAME; }
"obriport" { return OBRIPORT; }
