diff mbox

libnetfilter_queue: Add information about retrieving UID/GID/SECCTX fields

Message ID oirqus$3p1$1@blaine.gmane.org
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Piotr Sawicki June 26, 2017, 8:31 p.m. UTC 
From: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com>

Add information about retrieving UID/GID/SECCTX fields

Signed-off-by: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com>
---
  src/libnetfilter_queue.c | 19 +++++++++++++++++++
  1 file changed, 19 insertions(+)

   * \return -1 on error with errno set appropriately; =0 otherwise.
   */
@@ -1201,6 +1208,10 @@ EXPORT_SYMBOL(nfq_get_packet_hw);
  /**
   * nfq_get_uid - get the UID of the user the packet belongs to
   * \param nfad Netlink packet data handle passed to callback function
+ * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets
+ *       may be pushed into the queue. In this case, only one fragment will
+ *       have the UID field set. To deal with this issue always set
+ *       NFQA_CFG_F_GSO.
   *
   * \return 1 if there is a UID available, 0 otherwise.
   */
@@ -1217,6 +1228,10 @@ EXPORT_SYMBOL(nfq_get_uid);
  /**
   * nfq_get_gid - get the GID of the user the packet belongs to
   * \param nfad Netlink packet data handle passed to callback function
+ * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets
+ *       may be pushed into the queue. In this case, only one fragment will
+ *       have the GID field set. To deal with this issue always set
+ *       NFQA_CFG_F_GSO.
   *
   * \return 1 if there is a GID available, 0 otherwise.
   */
@@ -1235,6 +1250,10 @@ EXPORT_SYMBOL(nfq_get_gid);
   * nfq_get_secctx - get the security context for this packet
   * \param nfad Netlink packet data handle passed to callback function
   * \param secdata data to write the security context to
+ * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets
+ *       may be pushed into the queue. In this case, only one fragment will
+ *       have the SECCTX field set. To deal with this issue always set
+ *       NFQA_CFG_F_GSO.
   *
   * \return -1 on error, otherwise > 0
   */

Comments

Pablo Neira Ayuso June 27, 2017, 4:48 p.m. UTC | #1 
On Mon, Jun 26, 2017 at 10:31:30PM +0200, Piotr Sawicki wrote:
> From: Piotr Radoslaw Sawicki <piotr.sawicki@gmail.com>
> 
> Add information about retrieving UID/GID/SECCTX fields

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 1702158..4002687 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -698,6 +698,13 @@  EXPORT_SYMBOL(nfq_set_mode);
  	flags &= ~NFQA_CFG_F_FAIL_OPEN;
  	err = nfq_set_queue_flags(qh, mask, flags);
  \endverbatim
+ *  - NFQA_CFG_F_SECCTX: the kernel will dump security context of the 
socket to
+ *  which each packet belongs.
+ *
+ *  \warning
+ *  When fragmentation occurs and NFQA_CFG_F_GSO is NOT set then the kernel
+ *  dumps UID/GID and security context fields only for one fragment. To 
deal with
+ *  this limitation always set NFQA_CFG_F_GSO.
   *