netfilter: nf_tables: add SECMARK support

Add the ability to set the security context of packets within the nf_tables framework. Add a nft_object for holding security contexts in the kernel and manipulating packets on the wire. Convert the security context strings at rule addition time to security identifiers. This is the same behavior like in xt_SECMARK and offers better performance than computing it per packet. Set the maximum security context length to 256. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Christian Göttsche <cgzones@googlemail.com> 2018-09-23 20:26:15 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-09-28 14:28:29 +0200
commit: fb961945457f5177072c968aa38fee910ab893b9 (patch)
tree: db7a9801ea060e236514626f4296ec8a378c8ad0 /include/net/netfilter/nf_tables_core.h
parent: 097f95d319f817e651bd51f8846aced92a55a6a1 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
index 8da837d2aaf9..2046d104f323 100644
--- a/include/net/netfilter/nf_tables_core.h
+++ b/include/net/netfilter/nf_tables_core.h
@@ -16,6 +16,10 @@ extern struct nft_expr_type nft_meta_type;
 extern struct nft_expr_type nft_rt_type;
 extern struct nft_expr_type nft_exthdr_type;
 
+#ifdef CONFIG_NETWORK_SECMARK
+extern struct nft_object_type nft_secmark_obj_type;
+#endif
+
 int nf_tables_core_module_init(void);
 void nf_tables_core_module_exit(void);
author	Christian Göttsche <cgzones@googlemail.com>	2018-09-23 20:26:15 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-09-28 14:28:29 +0200
commit	fb961945457f5177072c968aa38fee910ab893b9 (patch)
tree	db7a9801ea060e236514626f4296ec8a378c8ad0 /include/net/netfilter/nf_tables_core.h
parent	097f95d319f817e651bd51f8846aced92a55a6a1 (diff)