Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1568435imm; Sun, 23 Sep 2018 06:57:06 -0700 (PDT) X-Google-Smtp-Source: ACcGV60/FrGUaHhz6SIQ1lziTPce+4/+hKOd/Gi4pdbUs898hcV+x2ngisfxJyl/KVgkFOWsT2pM X-Received: by 2002:a17:902:102c:: with SMTP id b41-v6mr6849357pla.257.1537711026595; Sun, 23 Sep 2018 06:57:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537711026; cv=none; d=google.com; s=arc-20160816; b=ojpi3RxpwiaQPOc/zf9Cvp6oZNhUMbHksYH7H8DfW+Ww2tNAYbWBdmWgFNzhxpHqBf 5bHhb5qBMosG5eKeMgpkU5dyg5YTDRtmhn0eVpWy/aXxt6oZT1LvxO4VT2MLrfGPuNJp C8YhVNB9DcoSFrnZj2YETX1s9XGcNhRQs+VYoFjBhTrlV7KN6p+FA2XHwHa37plMG+RO qd8RYPs5PtPw7ZheAdTn2oeHk/3t3Sx9cY90x+ClFI0rqQZxTca3tZdCN9lmfk2hkhE2 KiyMBgns/kp2j0FVnYqYNG2eVDxPObpZfF/Ag/EvrCZm4KbfQcYxPqb5l4mzUYzUvkPb 1bug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Rs+UYRtZ1OOpiqDzBovavLdBz8k6nInFKxiZ4y+MwyM=; b=gw3e57TxQjmaN1BlzFMvRR7k9JjlP51GJoUGs9SF5h9oIZuS9F9Kjm9C/OUhTfS3Zf nuP4KEqa1JGGMYZbuuHjjrYTsk4B+78Q8bX5ZbM9v3sd08K7CK+b5QY8xNLmIq7ujhgD UwL3+qHXiQbXG3UJgkzxEJAkkN7Ye5hu6NSXro2/FVAvLmKU5Q82kp1Q0cqORrZzqGG6 6QqWGCBdQ1FGHOU0dBZeZD8fDB8aIROh63vvSHZbxzshMGWO/srcbChtRjEDcN/WNvV9 LEEnnWISXsOT8DK37aX2yjzwyQH62VazVZoyNr6VUTbbT2r+8Rzn5rc0G77UAEqXvX8X H64Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f12-v6si32143275pgg.653.2018.09.23.06.56.51; Sun, 23 Sep 2018 06:57:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726384AbeIWTxi (ORCPT + 99 others); Sun, 23 Sep 2018 15:53:38 -0400 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:48074 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726189AbeIWTxi (ORCPT ); Sun, 23 Sep 2018 15:53:38 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.89) (envelope-from ) id 1g44rb-0000cl-J3; Sun, 23 Sep 2018 15:55:55 +0200 Date: Sun, 23 Sep 2018 15:55:55 +0200 From: Florian Westphal To: Christian =?iso-8859-15?Q?G=F6ttsche?= Cc: pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, jmorris@namei.org, serge@hallyn.com, selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org Subject: Re: [PATCH v2 1/2] netfilter: nf_tables: add SECMARK support Message-ID: <20180923135555.7kwa3kyachwcfy24@breakpoint.cc> References: <20180923091611.19815-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20180923091611.19815-1-cgzones@googlemail.com> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christian G?ttsche wrote: > Add the ability to set the security context of packets within the nf_tables framework. > Add a nft_object for holding security contexts in the kernel and manipulating packets on the wire. > > Convert the security context strings at rule addition time to security identifiers. > This is the same behavior like in xt_SECMARK and offers better performance than computing it per packet. > > Set the maximum security context length to 256. Looks good, one minor suggestion. > +#ifdef CONFIG_NETWORK_SECMARK > + > +struct nft_secmark { > + char ctx[NFT_SECMARK_CTX_MAXLEN]; > + int len; > + u32 secid; > +}; Can you change this to: struct nft_secmark { u32 secid; char *ctx; }; ? We don't need ctx in the packetpath, so better to keep the struct size small. > + nla_strlcpy(priv->ctx, tb[NFTA_SECMARK_CTX], NFT_SECMARK_CTX_MAXLEN); You can change this to priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL); if (!priv->ctx) return -ENOMEM; > + err = nft_secmark_secconversion(priv); > + if (err) { kfree(priv->ctx); > +static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) > +{ kfree(priv->ctx); But other than this i think this is ready to be applied, thanks a lot for making this happen.