Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
Basically `conntrack -L`. You just need to write the patch that does the secmark->name translation. :-) 
Actually, I've got a better idea!
I spend good part of the last hour looking at the source of iptables (v1.4.7 as this is what comes out of my FC13 as the 'latest' rpm) and found this little nugget: 

=====<xt_SECMARK.h>=================
struct xt_secmark_target_selinux_info {
   __u32 selsid;
   char selctx[SECMARK_SELCTX_MAX];
};
===================================

=====<libxt_SECMARK.c>===============
static void print_secmark(const struct xt_secmark_target_info *info)
{
   switch (info->mode) {
   case SECMARK_MODE_SEL:
       printf("selctx %s ", info->u.sel.selctx);\
       break;
default: 
       xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
   }
}
static void SECMARK_print(const void *ip, const struct xt_entry_target *target, 
                         int numeric)
{
   const struct xt_secmark_target_info *info =
       (struct xt_secmark_target_info*)(target)->data;

   printf("SECMARK ");
   print_secmark(info);
}
===================================
The output of SECMARK_print is seen when I list the mangle table with iptables ('iptables -t mangle -L -n' for example) and there is the SELinux context in full view as I originally registered the rule match with. So, if I am to kindly ask the devs maintaining the iptables code to change the above function to include the following line: 

printf("selctx %s [%u]", info->u.sel.selctx,info->u.sel.selsid);\

instead of:

printf("selctx %s ", info->u.sel.selctx);\
I would, at least, have an idea of what SELinux contexts maps to which number (I am assuming that 'selsid' is the actual number printed in the 'secmark=XXX' - I haven't gone that far in the code yet to verify this!).
Ideally, I would *love* to have a separate branch in, say '/proc/net/selctx', listing all registered contexts with iptables/netfilter together with their numbers (basically a printout of the whole xt_secmark_target_selinux_info struct as defined above). 

That would not be too much to ask now, would it? :-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux