From patchwork Mon Jun 26 20:31:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Piotr Sawicki X-Patchwork-Id: 780863 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3wxLLj0r57z9s81 for ; Tue, 27 Jun 2017 06:31:41 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751770AbdFZUbk (ORCPT ); Mon, 26 Jun 2017 16:31:40 -0400 Received: from [195.159.176.226] ([195.159.176.226]:41192 "EHLO blaine.gmane.org" rhost-flags-FAIL-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1751432AbdFZUbj (ORCPT ); Mon, 26 Jun 2017 16:31:39 -0400 Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dPafT-0004r0-15 for netfilter-devel@vger.kernel.org; Mon, 26 Jun 2017 22:31:31 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: netfilter-devel@vger.kernel.org From: Piotr Sawicki Subject: [PATCH] libnetfilter_queue: Add information about retrieving UID/GID/SECCTX fields Date: Mon, 26 Jun 2017 22:31:30 +0200 Lines: 64 Message-ID: Mime-Version: 1.0 X-Complaints-To: usenet@blaine.gmane.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 X-Mozilla-News-Host: news://news.gmane.org Content-Language: en-US Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Piotr Radoslaw Sawicki Add information about retrieving UID/GID/SECCTX fields Signed-off-by: Piotr Radoslaw Sawicki --- src/libnetfilter_queue.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) * \return -1 on error with errno set appropriately; =0 otherwise. */ @@ -1201,6 +1208,10 @@ EXPORT_SYMBOL(nfq_get_packet_hw); /** * nfq_get_uid - get the UID of the user the packet belongs to * \param nfad Netlink packet data handle passed to callback function + * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets + * may be pushed into the queue. In this case, only one fragment will + * have the UID field set. To deal with this issue always set + * NFQA_CFG_F_GSO. * * \return 1 if there is a UID available, 0 otherwise. */ @@ -1217,6 +1228,10 @@ EXPORT_SYMBOL(nfq_get_uid); /** * nfq_get_gid - get the GID of the user the packet belongs to * \param nfad Netlink packet data handle passed to callback function + * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets + * may be pushed into the queue. In this case, only one fragment will + * have the GID field set. To deal with this issue always set + * NFQA_CFG_F_GSO. * * \return 1 if there is a GID available, 0 otherwise. */ @@ -1235,6 +1250,10 @@ EXPORT_SYMBOL(nfq_get_gid); * nfq_get_secctx - get the security context for this packet * \param nfad Netlink packet data handle passed to callback function * \param secdata data to write the security context to + * \warning If the NFQA_CFG_F_GSO flag is not set, then fragmented packets + * may be pushed into the queue. In this case, only one fragment will + * have the SECCTX field set. To deal with this issue always set + * NFQA_CFG_F_GSO. * * \return -1 on error, otherwise > 0 */ diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c index 1702158..4002687 100644 --- a/src/libnetfilter_queue.c +++ b/src/libnetfilter_queue.c @@ -698,6 +698,13 @@ EXPORT_SYMBOL(nfq_set_mode); flags &= ~NFQA_CFG_F_FAIL_OPEN; err = nfq_set_queue_flags(qh, mask, flags); \endverbatim + * - NFQA_CFG_F_SECCTX: the kernel will dump security context of the socket to + * which each packet belongs. + * + * \warning + * When fragmentation occurs and NFQA_CFG_F_GSO is NOT set then the kernel + * dumps UID/GID and security context fields only for one fragment. To deal with + * this limitation always set NFQA_CFG_F_GSO. *