Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip6table_security.c
Go to the documentation of this file.
1 /*
2  * "security" table for IPv6
3  *
4  * This is for use by Mandatory Access Control (MAC) security models,
5  * which need to be able to manage security policy in separate context
6  * to DAC.
7  *
8  * Based on iptable_mangle.c
9  *
10  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11  * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
12  * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
13  *
14  * This program is free software; you can redistribute it and/or modify
15  * it under the terms of the GNU General Public License version 2 as
16  * published by the Free Software Foundation.
17  */
18 #include <linux/module.h>
19 #include <linux/netfilter_ipv6/ip6_tables.h>
20 #include <linux/slab.h>
21 
22 MODULE_LICENSE("GPL");
23 MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
24 MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
25 
26 #define SECURITY_VALID_HOOKS (1 << NF_INET_LOCAL_IN) | \
27  (1 << NF_INET_FORWARD) | \
28  (1 << NF_INET_LOCAL_OUT)
29 
30 static const struct xt_table security_table = {
31  .name = "security",
32  .valid_hooks = SECURITY_VALID_HOOKS,
33  .me = THIS_MODULE,
34  .af = NFPROTO_IPV6,
35  .priority = NF_IP6_PRI_SECURITY,
36 };
37 
38 static unsigned int
39 ip6table_security_hook(unsigned int hook, struct sk_buff *skb,
40  const struct net_device *in,
41  const struct net_device *out,
42  int (*okfn)(struct sk_buff *))
43 {
44  const struct net *net = dev_net((in != NULL) ? in : out);
45 
46  return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security);
47 }
48 
49 static struct nf_hook_ops *sectbl_ops __read_mostly;
50 
51 static int __net_init ip6table_security_net_init(struct net *net)
52 {
53  struct ip6t_replace *repl;
54 
55  repl = ip6t_alloc_initial_table(&security_table);
56  if (repl == NULL)
57  return -ENOMEM;
58  net->ipv6.ip6table_security =
59  ip6t_register_table(net, &security_table, repl);
60  kfree(repl);
61  return PTR_RET(net->ipv6.ip6table_security);
62 }
63 
64 static void __net_exit ip6table_security_net_exit(struct net *net)
65 {
66  ip6t_unregister_table(net, net->ipv6.ip6table_security);
67 }
68 
69 static struct pernet_operations ip6table_security_net_ops = {
70  .init = ip6table_security_net_init,
71  .exit = ip6table_security_net_exit,
72 };
73 
74 static int __init ip6table_security_init(void)
75 {
76  int ret;
77 
78  ret = register_pernet_subsys(&ip6table_security_net_ops);
79  if (ret < 0)
80  return ret;
81 
82  sectbl_ops = xt_hook_link(&security_table, ip6table_security_hook);
83  if (IS_ERR(sectbl_ops)) {
84  ret = PTR_ERR(sectbl_ops);
85  goto cleanup_table;
86  }
87 
88  return ret;
89 
90 cleanup_table:
91  unregister_pernet_subsys(&ip6table_security_net_ops);
92  return ret;
93 }
94 
95 static void __exit ip6table_security_fini(void)
96 {
97  xt_hook_unlink(&security_table, sectbl_ops);
98  unregister_pernet_subsys(&ip6table_security_net_ops);
99 }
100 
101 module_init(ip6table_security_init);
102 module_exit(ip6table_security_fini);