diff options
-rw-r--r-- | include/libnetfilter_queue/libnetfilter_queue.h | 2 | ||||
-rw-r--r-- | include/libnetfilter_queue/linux_nfnetlink_queue.h | 4 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink_queue.h | 4 | ||||
-rw-r--r-- | src/libnetfilter_queue.c | 23 | ||||
-rw-r--r-- | src/nlmsg.c | 1 | ||||
-rw-r--r-- | utils/nfqnl_test.c | 12 |
6 files changed, 43 insertions, 3 deletions
diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h index bde7209..2e38411 100644 --- a/include/libnetfilter_queue/libnetfilter_queue.h +++ b/include/libnetfilter_queue/libnetfilter_queue.h @@ -105,6 +105,7 @@ extern uint32_t nfq_get_outdev(struct nfq_data *nfad); extern uint32_t nfq_get_physoutdev(struct nfq_data *nfad); extern int nfq_get_uid(struct nfq_data *nfad, uint32_t *uid); extern int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid); +extern int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata); extern int nfq_get_indev_name(struct nlif_handle *nlif_handle, struct nfq_data *nfad, char *name); @@ -129,6 +130,7 @@ enum { NFQ_XML_TIME = (1 << 5), NFQ_XML_UID = (1 << 6), NFQ_XML_GID = (1 << 7), + NFQ_XML_SECCTX = (1 << 8), NFQ_XML_ALL = ~0U, }; diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h index 5b6ae95..1975dfa 100644 --- a/include/libnetfilter_queue/linux_nfnetlink_queue.h +++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h @@ -53,6 +53,7 @@ enum nfqnl_attr_type { NFQA_EXP, /* nf_conntrack_netlink.h */ NFQA_UID, /* __u32 sk uid */ NFQA_GID, /* __u32 sk gid */ + NFQA_SECCTX, /* security context string */ __NFQA_MAX }; @@ -106,7 +107,8 @@ enum nfqnl_attr_config { #define NFQA_CFG_F_CONNTRACK (1 << 1) #define NFQA_CFG_F_GSO (1 << 2) #define NFQA_CFG_F_UID_GID (1 << 3) -#define NFQA_CFG_F_MAX (1 << 4) +#define NFQA_CFG_F_SECCTX (1 << 4) +#define NFQA_CFG_F_MAX (1 << 5) /* flags for NFQA_SKB_INFO */ /* packet appears to have wrong checksums, but they are ok */ diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h index 22f5d45..030672d 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/linux/netfilter/nfnetlink_queue.h @@ -49,6 +49,7 @@ enum nfqnl_attr_type { NFQA_EXP, /* nf_conntrack_netlink.h */ NFQA_UID, /* __u32 sk uid */ NFQA_GID, /* __u32 sk gid */ + NFQA_SECCTX, __NFQA_MAX }; @@ -102,7 +103,8 @@ enum nfqnl_attr_config { #define NFQA_CFG_F_CONNTRACK (1 << 1) #define NFQA_CFG_F_GSO (1 << 2) #define NFQA_CFG_F_UID_GID (1 << 3) -#define NFQA_CFG_F_MAX (1 << 4) +#define NFQA_CFG_F_SECCTX (1 << 4) +#define NFQA_CFG_F_MAX (1 << 5) /* flags for NFQA_SKB_INFO */ /* packet appears to have wrong checksums, but they are ok */ diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c index c9ed865..84184ee 100644 --- a/src/libnetfilter_queue.c +++ b/src/libnetfilter_queue.c @@ -1218,6 +1218,29 @@ int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid) } EXPORT_SYMBOL(nfq_get_gid); + +/** + * nfq_get_secctx - get the security context for this packet + * \param nfad Netlink packet data handle passed to callback function + * \param secdata data to write the security context to + * + * \return -1 on error, otherwise > 0 + */ +int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata) +{ + if (!nfnl_attr_present(nfad->data, NFQA_SECCTX)) + return -1; + + *secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data, + NFQA_SECCTX, char); + + if (*secdata) + return NFA_PAYLOAD(nfad->data[NFQA_SECCTX-1]); + + return 0; +} +EXPORT_SYMBOL(nfq_get_secctx); + /** * nfq_get_payload - get payload * \param nfad Netlink packet data handle passed to callback function diff --git a/src/nlmsg.c b/src/nlmsg.c index aebdd5e..cabd8be 100644 --- a/src/nlmsg.c +++ b/src/nlmsg.c @@ -137,6 +137,7 @@ static int nfq_pkt_parse_attr_cb(const struct nlattr *attr, void *data) case NFQA_IFINDEX_PHYSOUTDEV: case NFQA_CAP_LEN: case NFQA_SKB_INFO: + case NFQA_SECCTX: case NFQA_UID: case NFQA_GID: if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c index b760cf0..5e76ffe 100644 --- a/utils/nfqnl_test.c +++ b/utils/nfqnl_test.c @@ -17,7 +17,7 @@ static uint32_t print_pkt (struct nfq_data *tb) struct nfqnl_msg_packet_hw *hwph; uint32_t mark, ifi, uid, gid; int ret; - unsigned char *data; + unsigned char *data, *secdata; ph = nfq_get_msg_packet_hdr(tb); if (ph) { @@ -61,6 +61,10 @@ static uint32_t print_pkt (struct nfq_data *tb) if (nfq_get_gid(tb, &gid)) printf("gid=%u ", gid); + ret = nfq_get_secctx(tb, &secdata); + if (ret > 0) + printf("secctx=\"%.*s\" ", ret, secdata); + ret = nfq_get_payload(tb, &data); if (ret >= 0) printf("payload_len=%d ", ret); @@ -134,6 +138,12 @@ int main(int argc, char **argv) "retrieve process UID/GID.\n"); } + printf("setting flags to request security context\n"); + if (nfq_set_queue_flags(qh, NFQA_CFG_F_SECCTX, NFQA_CFG_F_SECCTX)) { + fprintf(stderr, "This kernel version does not allow to " + "retrieve security context.\n"); + } + printf("Waiting for packets...\n"); fd = nfq_fd(h); |