extern uint32_t nfq_get_physoutdev(struct nfq_data *nfad);
extern int nfq_get_uid(struct nfq_data *nfad, uint32_t *uid);
extern int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid);
+extern int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata);
extern int nfq_get_indev_name(struct nlif_handle *nlif_handle,
struct nfq_data *nfad, char *name);
NFQ_XML_TIME = (1 << 5),
NFQ_XML_UID = (1 << 6),
NFQ_XML_GID = (1 << 7),
+ NFQ_XML_SECCTX = (1 << 8),
NFQ_XML_ALL = ~0U,
};
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX, /* security context string */
__NFQA_MAX
};
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX,
__NFQA_MAX
};
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
}
EXPORT_SYMBOL(nfq_get_gid);
+
+/**
+ * nfq_get_secctx - get the security context for this packet
+ * \param nfad Netlink packet data handle passed to callback function
+ * \param secdata data to write the security context to
+ *
+ * \return -1 on error, otherwise > 0
+ */
+int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata)
+{
+ if (!nfnl_attr_present(nfad->data, NFQA_SECCTX))
+ return -1;
+
+ *secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data,
+ NFQA_SECCTX, char);
+
+ if (*secdata)
+ return NFA_PAYLOAD(nfad->data[NFQA_SECCTX-1]);
+
+ return 0;
+}
+EXPORT_SYMBOL(nfq_get_secctx);
+
/**
* nfq_get_payload - get payload
* \param nfad Netlink packet data handle passed to callback function
case NFQA_IFINDEX_PHYSOUTDEV:
case NFQA_CAP_LEN:
case NFQA_SKB_INFO:
+ case NFQA_SECCTX:
case NFQA_UID:
case NFQA_GID:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
struct nfqnl_msg_packet_hw *hwph;
uint32_t mark, ifi, uid, gid;
int ret;
- unsigned char *data;
+ unsigned char *data, *secdata;
ph = nfq_get_msg_packet_hdr(tb);
if (ph) {
if (nfq_get_gid(tb, &gid))
printf("gid=%u ", gid);
+ ret = nfq_get_secctx(tb, &secdata);
+ if (ret > 0)
+ printf("secctx=\"%.*s\" ", ret, secdata);
+
ret = nfq_get_payload(tb, &data);
if (ret >= 0)
printf("payload_len=%d ", ret);
"retrieve process UID/GID.\n");
}
+ printf("setting flags to request security context\n");
+ if (nfq_set_queue_flags(qh, NFQA_CFG_F_SECCTX, NFQA_CFG_F_SECCTX)) {
+ fprintf(stderr, "This kernel version does not allow to "
+ "retrieve security context.\n");
+ }
+
printf("Waiting for packets...\n");
fd = nfq_fd(h);
projects / platform / upstream / libnetfilter_queue.git / commitdiff