Re: nftables: secmark support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> >     [... define secmarks and port maps ...]
> >     chain input {
> >         type filter hook input priority 0;
> >         ct state new meta secmark set tcp dport map @secmapping_in
> >         ct state new ip protocol icmp meta secmark set "icmp_server"
> >         ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server"
> >         ct state new ct secmark_raw set meta secmark_raw
> >         ct state established,related meta secmark_raw set ct secmark_raw
>
> So your concern is the need for this extra secmark_raw, correct?

Exactly, cause i want to store the kernel internal secid in the packet
state to match it on est,rel packets.
Otherwise I got "Counter expression must be constant" and other errors.

> This is what your patch [6] does, right? If you don't mind to rebase
> it I can have a look if I can propose you something else than this new
> keyword.

Attached at the end (base on 707ad229d48f2ba7920541527b755b155ddedcda)

> This is the listing after you add ruleset in 1., correct?

Yes

> > 3.
> > The patch also adds the ability to reset secmarks.
> > Is there a way to query the kernel about the actual secid (to verify
> > the reset works)?
>
> What do you mean by "reset secmarks", example please.

Reseting secmarks intends to renew the association between the secmark
string and the kernel internal secid.
To keep it in sync after e.g. a SELinux policy reload, without
restarting the whole firewall, resetting counters etc..



>From c559cb37e09526e02da02724017d0f921a03a1c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@xxxxxxxxxxxxxx>
Date: Mon, 28 Oct 2019 15:12:29 +0100
Subject: [PATCH] add secmark_raw for storing secmark id in packet state

---
 src/ct.c           |  2 ++
 src/evaluate.c     |  2 ++
 src/meta.c         |  3 +++
 src/parser_bison.y | 37 +++++++++++++++++++++++++++++--------
 src/rule.c         |  6 ++++++
 src/scanner.l      |  1 +
 6 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/src/ct.c b/src/ct.c
index ed458e6..9e6a835 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -299,6 +299,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
                           BYTEORDER_BIG_ENDIAN, 128),
     [NFT_CT_DST_IP6]    = CT_TEMPLATE("ip6 daddr", &ip6addr_type,
                           BYTEORDER_BIG_ENDIAN, 128),
+    [NFT_CT_SECMARK]    = CT_TEMPLATE("secmark", &integer_type,
+                          BYTEORDER_HOST_ENDIAN, 32),
 };

 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/evaluate.c b/src/evaluate.c
index a56cd2a..1b2f5e3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3944,8 +3944,10 @@ static int cmd_evaluate_reset(struct eval_ctx
*ctx, struct cmd *cmd)
     switch (cmd->obj) {
     case CMD_OBJ_COUNTER:
     case CMD_OBJ_QUOTA:
+    case CMD_OBJ_SECMARK:
     case CMD_OBJ_COUNTERS:
     case CMD_OBJ_QUOTAS:
+    case CMD_OBJ_SECMARKS:
         if (cmd->handle.table.name == NULL)
             return 0;
         if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
diff --git a/src/meta.c b/src/meta.c
index f54b818..8093d67 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -709,6 +709,8 @@ const struct meta_template meta_templates[] = {
     [NFT_META_TIME_HOUR]    = META_TEMPLATE("hour", &hour_type,
                         4 * BITS_PER_BYTE,
                         BYTEORDER_HOST_ENDIAN),
+    [NFT_META_SECMARK]    = META_TEMPLATE("secmark", &integer_type,
+                        32, BYTEORDER_HOST_ENDIAN),
 };

 static bool meta_key_is_unqualified(enum nft_meta_keys key)
@@ -720,6 +722,7 @@ static bool meta_key_is_unqualified(enum nft_meta_keys key)
     case NFT_META_OIFNAME:
     case NFT_META_IIFGROUP:
     case NFT_META_OIFGROUP:
+    case NFT_META_SECMARK:
         return true;
     default:
         return false;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 11f0dc8..16fcea2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -479,6 +479,7 @@ int nft_lex(void *, void *, void *);

 %token SECMARK            "secmark"
 %token SECMARKS            "secmarks"
+%token SECMARK_RAW        "secmark_raw"

 %token NANOSECOND        "nanosecond"
 %token MICROSECOND        "microsecond"
@@ -748,7 +749,7 @@ int nft_lex(void *, void *, void *);

 %type <expr>            meta_expr
 %destructor { expr_free($$); }    meta_expr
-%type <val>            meta_key    meta_key_qualified
meta_key_unqualified    numgen_type
+%type <val>            meta_key    meta_key_qualified
meta_key_unqualified    meta_key_object    numgen_type

 %type <expr>            socket_expr
 %destructor { expr_free($$); } socket_expr
@@ -1365,6 +1366,18 @@ reset_cmd        :    COUNTERS    ruleset_spec
             {
                 $$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL);
             }
+            |    SECMARKS    ruleset_spec
+            {
+                $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL);
+            }
+            |    SECMARKS    TABLE    table_spec
+            {
+                $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
+            }
+            |       SECMARK        obj_spec
+            {
+                $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+            }
             ;

 flush_cmd        :    TABLE        table_spec
@@ -4123,7 +4136,7 @@ meta_key_qualified    :    LENGTH        { $$ =
NFT_META_LEN; }
             |    PROTOCOL    { $$ = NFT_META_PROTOCOL; }
             |    PRIORITY    { $$ = NFT_META_PRIORITY; }
             |    RANDOM        { $$ = NFT_META_PRANDOM; }
-            |    SECMARK        { $$ = NFT_META_SECMARK; }
+            |    SECMARK_RAW    { $$ = NFT_META_SECMARK; }
             ;

 meta_key_unqualified    :    MARK        { $$ = NFT_META_MARK; }
@@ -4152,7 +4165,18 @@ meta_key_unqualified    :    MARK        { $$ =
NFT_META_MARK; }
             |       HOUR        { $$ = NFT_META_TIME_HOUR; }
             ;

+meta_key_object        :    SECMARK        { $$ = NFT_META_SECMARK; }
+            ;
+
 meta_stmt        :    META    meta_key    SET    stmt_expr
+            {
+                $$ = meta_stmt_alloc(&@$, $2, $4);
+            }
+            |    meta_key_unqualified    SET    stmt_expr
+            {
+                $$ = meta_stmt_alloc(&@$, $1, $3);
+            }
+            |    META meta_key_object    SET    stmt_expr
             {
                 switch ($2) {
                 case NFT_META_SECMARK:
@@ -4161,14 +4185,10 @@ meta_stmt        :    META    meta_key    SET
  stmt_expr
                     $$->objref.expr = $4;
                     break;
                 default:
-                    $$ = meta_stmt_alloc(&@$, $2, $4);
-                    break;
+                    erec_queue(error(&@2, "invalid meta object name
'%s'\n", $2), state->msgs);
+                    YYERROR;
                 }
             }
-            |    meta_key_unqualified    SET    stmt_expr
-            {
-                $$ = meta_stmt_alloc(&@$, $1, $3);
-            }
             |    META    STRING    SET    stmt_expr
             {
                 struct error_record *erec;
@@ -4354,6 +4374,7 @@ ct_key            :    L3PROTOCOL    { $$ =
NFT_CT_L3PROTOCOL; }
             |    PROTO_DST    { $$ = NFT_CT_PROTO_DST; }
             |    LABEL        { $$ = NFT_CT_LABELS; }
             |    EVENT        { $$ = NFT_CT_EVENTMASK; }
+            |    SECMARK_RAW    { $$ = NFT_CT_SECMARK; }
             |    ct_key_dir_optional
             ;

diff --git a/src/rule.c b/src/rule.c
index 64756bc..dbbec5e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2454,6 +2454,12 @@ static int do_command_reset(struct netlink_ctx
*ctx, struct cmd *cmd)
     case CMD_OBJ_QUOTA:
         type = NFT_OBJECT_QUOTA;
         break;
+    case CMD_OBJ_SECMARKS:
+        dump = true;
+        /* fall through */
+    case CMD_OBJ_SECMARK:
+        type = NFT_OBJECT_SECMARK;
+        break;
     default:
         BUG("invalid command object type %u\n", cmd->obj);
     }
diff --git a/src/scanner.l b/src/scanner.l
index 3de5a9e..feaa691 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -591,6 +591,7 @@ addrstring    ({macaddr}|{ip4addr}|{ip6addr})

 "secmark"        { return SECMARK; }
 "secmarks"        { return SECMARKS; }
+"secmark_raw"        { return SECMARK_RAW; }

 {addrstring}        {
                 yylval->string = xstrdup(yytext);
-- 
2.24.0.rc1
From c559cb37e09526e02da02724017d0f921a03a1c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@xxxxxxxxxxxxxx>
Date: Mon, 28 Oct 2019 15:12:29 +0100
Subject: [PATCH] add secmark_raw for storing secmark id in packet state

---
 src/ct.c           |  2 ++
 src/evaluate.c     |  2 ++
 src/meta.c         |  3 +++
 src/parser_bison.y | 37 +++++++++++++++++++++++++++++--------
 src/rule.c         |  6 ++++++
 src/scanner.l      |  1 +
 6 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/src/ct.c b/src/ct.c
index ed458e6..9e6a835 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -299,6 +299,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
 					      BYTEORDER_BIG_ENDIAN, 128),
 	[NFT_CT_DST_IP6]	= CT_TEMPLATE("ip6 daddr", &ip6addr_type,
 					      BYTEORDER_BIG_ENDIAN, 128),
+	[NFT_CT_SECMARK]	= CT_TEMPLATE("secmark", &integer_type,
+					      BYTEORDER_HOST_ENDIAN, 32),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/evaluate.c b/src/evaluate.c
index a56cd2a..1b2f5e3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3944,8 +3944,10 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd)
 	switch (cmd->obj) {
 	case CMD_OBJ_COUNTER:
 	case CMD_OBJ_QUOTA:
+	case CMD_OBJ_SECMARK:
 	case CMD_OBJ_COUNTERS:
 	case CMD_OBJ_QUOTAS:
+	case CMD_OBJ_SECMARKS:
 		if (cmd->handle.table.name == NULL)
 			return 0;
 		if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
diff --git a/src/meta.c b/src/meta.c
index f54b818..8093d67 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -709,6 +709,8 @@ const struct meta_template meta_templates[] = {
 	[NFT_META_TIME_HOUR]	= META_TEMPLATE("hour", &hour_type,
 						4 * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
+	[NFT_META_SECMARK]	= META_TEMPLATE("secmark", &integer_type,
+						32, BYTEORDER_HOST_ENDIAN),
 };
 
 static bool meta_key_is_unqualified(enum nft_meta_keys key)
@@ -720,6 +722,7 @@ static bool meta_key_is_unqualified(enum nft_meta_keys key)
 	case NFT_META_OIFNAME:
 	case NFT_META_IIFGROUP:
 	case NFT_META_OIFGROUP:
+	case NFT_META_SECMARK:
 		return true;
 	default:
 		return false;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 11f0dc8..16fcea2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -479,6 +479,7 @@ int nft_lex(void *, void *, void *);
 
 %token SECMARK			"secmark"
 %token SECMARKS			"secmarks"
+%token SECMARK_RAW		"secmark_raw"
 
 %token NANOSECOND		"nanosecond"
 %token MICROSECOND		"microsecond"
@@ -748,7 +749,7 @@ int nft_lex(void *, void *, void *);
 
 %type <expr>			meta_expr
 %destructor { expr_free($$); }	meta_expr
-%type <val>			meta_key	meta_key_qualified	meta_key_unqualified	numgen_type
+%type <val>			meta_key	meta_key_qualified	meta_key_unqualified	meta_key_object	numgen_type
 
 %type <expr>			socket_expr
 %destructor { expr_free($$); } socket_expr
@@ -1365,6 +1366,18 @@ reset_cmd		:	COUNTERS	ruleset_spec
 			{
 				$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL);
 			}
+			|	SECMARKS	ruleset_spec
+			{
+				$$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL);
+			}
+			|	SECMARKS	TABLE	table_spec
+			{
+				$$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
+			}
+			|       SECMARK		obj_spec
+			{
+				$$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+			}
 			;
 
 flush_cmd		:	TABLE		table_spec
@@ -4123,7 +4136,7 @@ meta_key_qualified	:	LENGTH		{ $$ = NFT_META_LEN; }
 			|	PROTOCOL	{ $$ = NFT_META_PROTOCOL; }
 			|	PRIORITY	{ $$ = NFT_META_PRIORITY; }
 			|	RANDOM		{ $$ = NFT_META_PRANDOM; }
-			|	SECMARK		{ $$ = NFT_META_SECMARK; }
+			|	SECMARK_RAW	{ $$ = NFT_META_SECMARK; }
 			;
 
 meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
@@ -4152,7 +4165,18 @@ meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
 			|       HOUR		{ $$ = NFT_META_TIME_HOUR; }
 			;
 
+meta_key_object		:	SECMARK		{ $$ = NFT_META_SECMARK; }
+			;
+
 meta_stmt		:	META	meta_key	SET	stmt_expr
+			{
+				$$ = meta_stmt_alloc(&@$, $2, $4);
+			}
+			|	meta_key_unqualified	SET	stmt_expr
+			{
+				$$ = meta_stmt_alloc(&@$, $1, $3);
+			}
+			|	META meta_key_object	SET	stmt_expr
 			{
 				switch ($2) {
 				case NFT_META_SECMARK:
@@ -4161,14 +4185,10 @@ meta_stmt		:	META	meta_key	SET	stmt_expr
 					$$->objref.expr = $4;
 					break;
 				default:
-					$$ = meta_stmt_alloc(&@$, $2, $4);
-					break;
+					erec_queue(error(&@2, "invalid meta object name '%s'\n", $2), state->msgs);
+					YYERROR;
 				}
 			}
-			|	meta_key_unqualified	SET	stmt_expr
-			{
-				$$ = meta_stmt_alloc(&@$, $1, $3);
-			}
 			|	META	STRING	SET	stmt_expr
 			{
 				struct error_record *erec;
@@ -4354,6 +4374,7 @@ ct_key			:	L3PROTOCOL	{ $$ = NFT_CT_L3PROTOCOL; }
 			|	PROTO_DST	{ $$ = NFT_CT_PROTO_DST; }
 			|	LABEL		{ $$ = NFT_CT_LABELS; }
 			|	EVENT		{ $$ = NFT_CT_EVENTMASK; }
+			|	SECMARK_RAW	{ $$ = NFT_CT_SECMARK; }
 			|	ct_key_dir_optional
 			;
 
diff --git a/src/rule.c b/src/rule.c
index 64756bc..dbbec5e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2454,6 +2454,12 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd)
 	case CMD_OBJ_QUOTA:
 		type = NFT_OBJECT_QUOTA;
 		break;
+	case CMD_OBJ_SECMARKS:
+		dump = true;
+		/* fall through */
+	case CMD_OBJ_SECMARK:
+		type = NFT_OBJECT_SECMARK;
+		break;
 	default:
 		BUG("invalid command object type %u\n", cmd->obj);
 	}
diff --git a/src/scanner.l b/src/scanner.l
index 3de5a9e..feaa691 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -591,6 +591,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 
 "secmark"		{ return SECMARK; }
 "secmarks"		{ return SECMARKS; }
+"secmark_raw"		{ return SECMARK_RAW; }
 
 {addrstring}		{
 				yylval->string = xstrdup(yytext);
-- 
2.24.0.rc1


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux