Basically `conntrack -L`. You just need to write the patch that
does the secmark->name translation. :-)
Actually, I've got a better idea!
I spend good part of the last hour looking at the source of iptables
(v1.4.7 as this is what comes out of my FC13 as the 'latest' rpm) and
found this little nugget:
=====<xt_SECMARK.h>=================
struct xt_secmark_target_selinux_info {
__u32 selsid;
char selctx[SECMARK_SELCTX_MAX];
};
===================================
=====<libxt_SECMARK.c>===============
static void print_secmark(const struct xt_secmark_target_info *info)
{
switch (info->mode) {
case SECMARK_MODE_SEL:
printf("selctx %s ", info->u.sel.selctx);\
break;
default:
xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
}
}
static void SECMARK_print(const void *ip, const struct xt_entry_target
*target,
int numeric)
{
const struct xt_secmark_target_info *info =
(struct xt_secmark_target_info*)(target)->data;
printf("SECMARK ");
print_secmark(info);
}
===================================
The output of SECMARK_print is seen when I list the mangle table with
iptables ('iptables -t mangle -L -n' for example) and there is the
SELinux context in full view as I originally registered the rule match
with. So, if I am to kindly ask the devs maintaining the iptables code
to change the above function to include the following line:
printf("selctx %s [%u]", info->u.sel.selctx,info->u.sel.selsid);\
instead of:
printf("selctx %s ", info->u.sel.selctx);\
I would, at least, have an idea of what SELinux contexts maps to which
number (I am assuming that 'selsid' is the actual number printed in the
'secmark=XXX' - I haven't gone that far in the code yet to verify this!).
Ideally, I would *love* to have a separate branch in, say
'/proc/net/selctx', listing all registered contexts with
iptables/netfilter together with their numbers (basically a printout of
the whole xt_secmark_target_selinux_info struct as defined above).
That would not be too much to ask now, would it? :-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html