Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote:
> Hi,
> after I found a nice tutorial [1], I started to hack some code [2].
> Is it the correct approach to introduce a new kernel module and a new
> nftables statement?
Yes and no :-)
The problem is that current nft_meta.c uses the 32bit secmark id,
which, as far as i know is not useable from userspace.
This will need something similar to what you propose, i.e.
text-string sent to kernel for conversion purpose.
> Is there an easy way to attach the secmark to the parent connection,
> so that all packets of the same connection inherit it?
Yes, thats what xt_CONNSECMARK.c does -- copies skb->secmark to the
secmark stored in nf_conn->secmark.
Back to the topic at hand.
I think SECMARK equivalent should live in nft_meta.c.
As it looks like we can't discover correct secid (32bit value)
from userspace we will need to pass the full string, as you did.
Simplest version is to merge your patch into nft_meta.c, in the
"set" part, and make the init() function translate it to the 32bit
immedidate, this would pretty much look like your patch.
The disadvantage of passing it as string is that we can't use
maps and the like for setting the value, e.g.
meta secmark set tcp dport map { 22 : system_u:object_r:x_ssh_packet:s0,
{ 80 : system_u:object_r:x_http_packet:s0, }
would not work as we can't pass n strings to the kernel, we'd need one
rule for each label.
I think the best solution would be to add objref support for the
selctx names.
We'd need a new NFT_OBJECT_SELCTX in kernel, that gets the security
label and can do the conversion to the 32bit id.
This would live in nft_meta.c, similar to nft_ct_helper_obj_type living
in nft_ct.c .
static struct nft_object_ops nft_selctx_obj_type;
1. policy that gets the NLA_STRING
2. init() function that convers string -> id
3. dump() function that dumps string back to userspace
4. eval() function that sets skb->secmark = priv->id;
On frontend side users would do:
nft add secctx filter test-ssh { selctx "system_u:object_r:x_ssh_packet:s0"; }
nft add rule filter input tcp dport 22 meta secmark set "test-ssh"
This looks more cumbersome but it would allow use of "map" syntax as
outlined above since this gives nft machinery the needed info to know that
"test-ssh" is a security context and it would invoke the appropriate objref
function to internally convert the name -> id.
If you'd like to work on this (its not easy) I'd be happy to provide
help/guidance to get this merged into the kernel/nftables.
[ NB: I suck with nft grammar, perhaps this should be a more simple
nft add secctx filter test-ssh "system..." without any extra {},
but thats a minor point. ]
