2 * Module for modifying the secmark field of the skb, for use by
5 * Based on the nfmark match by:
6 * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
8 * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16 #include <linux/module.h>
17 #include <linux/security.h>
18 #include <linux/skbuff.h>
19 #include <linux/netfilter/x_tables.h>
20 #include <linux/netfilter/xt_SECMARK.h>
22 MODULE_LICENSE("GPL");
23 MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
24 MODULE_DESCRIPTION("Xtables: packet security mark modification");
25 MODULE_ALIAS("ipt_SECMARK");
26 MODULE_ALIAS("ip6t_SECMARK");
28 #define PFX "SECMARK: "
33 secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
37 BUG_ON(info->mode != mode);
40 case SECMARK_MODE_SEL:
41 secmark = info->secid;
47 skb->secmark = secmark;
51 static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
55 info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
58 err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
62 pr_info_ratelimited("invalid security context \'%s\'\n",
68 pr_info_ratelimited("unable to map security context \'%s\'\n",
73 err = security_secmark_relabel_packet(info->secid);
75 pr_info_ratelimited("unable to obtain relabeling permission\n");
79 security_secmark_refcount_inc();
84 secmark_tg_check(const char *table, struct xt_secmark_target_info_v1 *info)
88 if (strcmp(table, "mangle") != 0 &&
89 strcmp(table, "security") != 0) {
90 pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
95 if (mode && mode != info->mode) {
96 pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
101 switch (info->mode) {
102 case SECMARK_MODE_SEL:
105 pr_info_ratelimited("invalid mode: %hu\n", info->mode);
109 err = checkentry_lsm(info);
118 static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
121 case SECMARK_MODE_SEL:
122 security_secmark_refcount_dec();
126 static int secmark_tg_check_v0(const struct xt_tgchk_param *par)
128 struct xt_secmark_target_info *info = par->targinfo;
129 struct xt_secmark_target_info_v1 newinfo = {
134 memcpy(newinfo.secctx, info->secctx, SECMARK_SECCTX_MAX);
136 ret = secmark_tg_check(par->table, &newinfo);
137 info->secid = newinfo.secid;
143 secmark_tg_v0(struct sk_buff *skb, const struct xt_action_param *par)
145 const struct xt_secmark_target_info *info = par->targinfo;
146 struct xt_secmark_target_info_v1 newinfo = {
147 .secid = info->secid,
150 return secmark_tg(skb, &newinfo);
153 static int secmark_tg_check_v1(const struct xt_tgchk_param *par)
155 return secmark_tg_check(par->table, par->targinfo);
159 secmark_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
161 return secmark_tg(skb, par->targinfo);
164 static struct xt_target secmark_tg_reg[] __read_mostly = {
168 .family = NFPROTO_UNSPEC,
169 .checkentry = secmark_tg_check_v0,
170 .destroy = secmark_tg_destroy,
171 .target = secmark_tg_v0,
172 .targetsize = sizeof(struct xt_secmark_target_info),
178 .family = NFPROTO_UNSPEC,
179 .checkentry = secmark_tg_check_v1,
180 .destroy = secmark_tg_destroy,
181 .target = secmark_tg_v1,
182 .targetsize = sizeof(struct xt_secmark_target_info_v1),
183 .usersize = offsetof(struct xt_secmark_target_info_v1, secid),
188 static int __init secmark_tg_init(void)
190 return xt_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
193 static void __exit secmark_tg_exit(void)
195 xt_unregister_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
198 module_init(secmark_tg_init);
199 module_exit(secmark_tg_exit);