1d2912cb1SThomas Gleixner // SPDX-License-Identifier: GPL-2.0-only 217e6e59fSJames Morris /* 317e6e59fSJames Morris * "security" table for IPv6 417e6e59fSJames Morris * 517e6e59fSJames Morris * This is for use by Mandatory Access Control (MAC) security models, 617e6e59fSJames Morris * which need to be able to manage security policy in separate context 717e6e59fSJames Morris * to DAC. 817e6e59fSJames Morris * 917e6e59fSJames Morris * Based on iptable_mangle.c 1017e6e59fSJames Morris * 1117e6e59fSJames Morris * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 1217e6e59fSJames Morris * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org> 1317e6e59fSJames Morris * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com> 1417e6e59fSJames Morris */ 1517e6e59fSJames Morris #include <linux/module.h> 1617e6e59fSJames Morris #include <linux/netfilter_ipv6/ip6_tables.h> 175a0e3ad6STejun Heo #include <linux/slab.h> 1817e6e59fSJames Morris 1917e6e59fSJames Morris MODULE_LICENSE("GPL"); 2017e6e59fSJames Morris MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>"); 2117e6e59fSJames Morris MODULE_DESCRIPTION("ip6tables security table, for MAC rules"); 2217e6e59fSJames Morris 2317e6e59fSJames Morris #define SECURITY_VALID_HOOKS (1 << NF_INET_LOCAL_IN) | \ 2417e6e59fSJames Morris (1 << NF_INET_FORWARD) | \ 2517e6e59fSJames Morris (1 << NF_INET_LOCAL_OUT) 2617e6e59fSJames Morris 2735aad0ffSJan Engelhardt static const struct xt_table security_table = { 2817e6e59fSJames Morris .name = "security", 2917e6e59fSJames Morris .valid_hooks = SECURITY_VALID_HOOKS, 3017e6e59fSJames Morris .me = THIS_MODULE, 31f88e6a8aSJan Engelhardt .af = NFPROTO_IPV6, 322b95efe7SJan Engelhardt .priority = NF_IP6_PRI_SECURITY, 3317e6e59fSJames Morris }; 3417e6e59fSJames Morris 3517e6e59fSJames Morris static unsigned int 3606198b34SEric W. Biederman ip6table_security_hook(void *priv, struct sk_buff *skb, 37238e54c9SDavid S. Miller const struct nf_hook_state *state) 3817e6e59fSJames Morris { 39ee177a54SFlorian Westphal return ip6t_do_table(skb, state, priv); 4017e6e59fSJames Morris } 4117e6e59fSJames Morris 422b95efe7SJan Engelhardt static struct nf_hook_ops *sectbl_ops __read_mostly; 4317e6e59fSJames Morris 44*fdacd57cSFlorian Westphal static int ip6table_security_table_init(struct net *net) 4517e6e59fSJames Morris { 46e3eaa991SJan Engelhardt struct ip6t_replace *repl; 47a67dd266SFlorian Westphal int ret; 4817e6e59fSJames Morris 49e3eaa991SJan Engelhardt repl = ip6t_alloc_initial_table(&security_table); 50e3eaa991SJan Engelhardt if (repl == NULL) 51e3eaa991SJan Engelhardt return -ENOMEM; 52ee177a54SFlorian Westphal ret = ip6t_register_table(net, &security_table, repl, sectbl_ops); 53e3eaa991SJan Engelhardt kfree(repl); 54a67dd266SFlorian Westphal return ret; 5517e6e59fSJames Morris } 5617e6e59fSJames Morris 575f027bc7SDavid Wilder static void __net_exit ip6table_security_net_pre_exit(struct net *net) 585f027bc7SDavid Wilder { 59ee177a54SFlorian Westphal ip6t_unregister_table_pre_exit(net, "security"); 605f027bc7SDavid Wilder } 615f027bc7SDavid Wilder 6217e6e59fSJames Morris static void __net_exit ip6table_security_net_exit(struct net *net) 6317e6e59fSJames Morris { 646c071754SFlorian Westphal ip6t_unregister_table_exit(net, "security"); 6517e6e59fSJames Morris } 6617e6e59fSJames Morris 6717e6e59fSJames Morris static struct pernet_operations ip6table_security_net_ops = { 685f027bc7SDavid Wilder .pre_exit = ip6table_security_net_pre_exit, 6917e6e59fSJames Morris .exit = ip6table_security_net_exit, 7017e6e59fSJames Morris }; 7117e6e59fSJames Morris 7217e6e59fSJames Morris static int __init ip6table_security_init(void) 7317e6e59fSJames Morris { 74*fdacd57cSFlorian Westphal int ret = xt_register_template(&security_table, 75*fdacd57cSFlorian Westphal ip6table_security_table_init); 76*fdacd57cSFlorian Westphal 77*fdacd57cSFlorian Westphal if (ret < 0) 78*fdacd57cSFlorian Westphal return ret; 7917e6e59fSJames Morris 80b9e69e12SFlorian Westphal sectbl_ops = xt_hook_ops_alloc(&security_table, ip6table_security_hook); 81*fdacd57cSFlorian Westphal if (IS_ERR(sectbl_ops)) { 82*fdacd57cSFlorian Westphal xt_unregister_template(&security_table); 83b9e69e12SFlorian Westphal return PTR_ERR(sectbl_ops); 84*fdacd57cSFlorian Westphal } 8517e6e59fSJames Morris 86b9e69e12SFlorian Westphal ret = register_pernet_subsys(&ip6table_security_net_ops); 87b9e69e12SFlorian Westphal if (ret < 0) { 88b9e69e12SFlorian Westphal kfree(sectbl_ops); 89*fdacd57cSFlorian Westphal xt_unregister_template(&security_table); 90b9e69e12SFlorian Westphal return ret; 912b95efe7SJan Engelhardt } 9217e6e59fSJames Morris 9317e6e59fSJames Morris return ret; 9417e6e59fSJames Morris } 9517e6e59fSJames Morris 9617e6e59fSJames Morris static void __exit ip6table_security_fini(void) 9717e6e59fSJames Morris { 9817e6e59fSJames Morris unregister_pernet_subsys(&ip6table_security_net_ops); 99*fdacd57cSFlorian Westphal xt_unregister_template(&security_table); 100b9e69e12SFlorian Westphal kfree(sectbl_ops); 10117e6e59fSJames Morris } 10217e6e59fSJames Morris 10317e6e59fSJames Morris module_init(ip6table_security_init); 10417e6e59fSJames Morris module_exit(ip6table_security_fini); 105