1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> 4 * Copyright (c) 2014 Intel Corporation 5 * Author: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> 6 * 7 * Development of this code funded by Astaro AG (http://www.astaro.com/) 8 */ 9 10 #include <linux/kernel.h> 11 #include <linux/netlink.h> 12 #include <linux/netfilter.h> 13 #include <linux/netfilter/nf_tables.h> 14 #include <linux/in.h> 15 #include <linux/ip.h> 16 #include <linux/ipv6.h> 17 #include <linux/smp.h> 18 #include <linux/static_key.h> 19 #include <net/dst.h> 20 #include <net/sock.h> 21 #include <net/tcp_states.h> /* for TCP_TIME_WAIT */ 22 #include <net/netfilter/nf_tables.h> 23 #include <net/netfilter/nf_tables_core.h> 24 #include <net/netfilter/nft_meta.h> 25 #include <net/netfilter/nf_tables_offload.h> 26 27 #include <uapi/linux/netfilter_bridge.h> /* NF_BR_PRE_ROUTING */ 28 29 #define NFT_META_SECS_PER_MINUTE 60 30 #define NFT_META_SECS_PER_HOUR 3600 31 #define NFT_META_SECS_PER_DAY 86400 32 #define NFT_META_DAYS_PER_WEEK 7 33 34 static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state); 35 36 static u8 nft_meta_weekday(unsigned long secs) 37 { 38 unsigned int dse; 39 u8 wday; 40 41 secs -= NFT_META_SECS_PER_MINUTE * sys_tz.tz_minuteswest; 42 dse = secs / NFT_META_SECS_PER_DAY; 43 wday = (4 + dse) % NFT_META_DAYS_PER_WEEK; 44 45 return wday; 46 } 47 48 static u32 nft_meta_hour(unsigned long secs) 49 { 50 struct tm tm; 51 52 time64_to_tm(secs, 0, &tm); 53 54 return tm.tm_hour * NFT_META_SECS_PER_HOUR 55 + tm.tm_min * NFT_META_SECS_PER_MINUTE 56 + tm.tm_sec; 57 } 58 59 void nft_meta_get_eval(const struct nft_expr *expr, 60 struct nft_regs *regs, 61 const struct nft_pktinfo *pkt) 62 { 63 const struct nft_meta *priv = nft_expr_priv(expr); 64 const struct sk_buff *skb = pkt->skb; 65 const struct net_device *in = nft_in(pkt), *out = nft_out(pkt); 66 struct sock *sk; 67 u32 *dest = ®s->data[priv->dreg]; 68 69 switch (priv->key) { 70 case NFT_META_LEN: 71 *dest = skb->len; 72 break; 73 case NFT_META_PROTOCOL: 74 nft_reg_store16(dest, (__force u16)skb->protocol); 75 break; 76 case NFT_META_NFPROTO: 77 nft_reg_store8(dest, nft_pf(pkt)); 78 break; 79 case NFT_META_L4PROTO: 80 if (!pkt->tprot_set) 81 goto err; 82 nft_reg_store8(dest, pkt->tprot); 83 break; 84 case NFT_META_PRIORITY: 85 *dest = skb->priority; 86 break; 87 case NFT_META_MARK: 88 *dest = skb->mark; 89 break; 90 case NFT_META_IIF: 91 *dest = in ? in->ifindex : 0; 92 break; 93 case NFT_META_OIF: 94 *dest = out ? out->ifindex : 0; 95 break; 96 case NFT_META_IIFNAME: 97 strncpy((char *)dest, in ? in->name : "", IFNAMSIZ); 98 break; 99 case NFT_META_OIFNAME: 100 strncpy((char *)dest, out ? out->name : "", IFNAMSIZ); 101 break; 102 case NFT_META_IIFTYPE: 103 if (in == NULL) 104 goto err; 105 nft_reg_store16(dest, in->type); 106 break; 107 case NFT_META_OIFTYPE: 108 if (out == NULL) 109 goto err; 110 nft_reg_store16(dest, out->type); 111 break; 112 case NFT_META_SKUID: 113 sk = skb_to_full_sk(skb); 114 if (!sk || !sk_fullsock(sk) || 115 !net_eq(nft_net(pkt), sock_net(sk))) 116 goto err; 117 118 read_lock_bh(&sk->sk_callback_lock); 119 if (sk->sk_socket == NULL || 120 sk->sk_socket->file == NULL) { 121 read_unlock_bh(&sk->sk_callback_lock); 122 goto err; 123 } 124 125 *dest = from_kuid_munged(&init_user_ns, 126 sk->sk_socket->file->f_cred->fsuid); 127 read_unlock_bh(&sk->sk_callback_lock); 128 break; 129 case NFT_META_SKGID: 130 sk = skb_to_full_sk(skb); 131 if (!sk || !sk_fullsock(sk) || 132 !net_eq(nft_net(pkt), sock_net(sk))) 133 goto err; 134 135 read_lock_bh(&sk->sk_callback_lock); 136 if (sk->sk_socket == NULL || 137 sk->sk_socket->file == NULL) { 138 read_unlock_bh(&sk->sk_callback_lock); 139 goto err; 140 } 141 *dest = from_kgid_munged(&init_user_ns, 142 sk->sk_socket->file->f_cred->fsgid); 143 read_unlock_bh(&sk->sk_callback_lock); 144 break; 145 #ifdef CONFIG_IP_ROUTE_CLASSID 146 case NFT_META_RTCLASSID: { 147 const struct dst_entry *dst = skb_dst(skb); 148 149 if (dst == NULL) 150 goto err; 151 *dest = dst->tclassid; 152 break; 153 } 154 #endif 155 #ifdef CONFIG_NETWORK_SECMARK 156 case NFT_META_SECMARK: 157 *dest = skb->secmark; 158 break; 159 #endif 160 case NFT_META_PKTTYPE: 161 if (skb->pkt_type != PACKET_LOOPBACK) { 162 nft_reg_store8(dest, skb->pkt_type); 163 break; 164 } 165 166 switch (nft_pf(pkt)) { 167 case NFPROTO_IPV4: 168 if (ipv4_is_multicast(ip_hdr(skb)->daddr)) 169 nft_reg_store8(dest, PACKET_MULTICAST); 170 else 171 nft_reg_store8(dest, PACKET_BROADCAST); 172 break; 173 case NFPROTO_IPV6: 174 nft_reg_store8(dest, PACKET_MULTICAST); 175 break; 176 case NFPROTO_NETDEV: 177 switch (skb->protocol) { 178 case htons(ETH_P_IP): { 179 int noff = skb_network_offset(skb); 180 struct iphdr *iph, _iph; 181 182 iph = skb_header_pointer(skb, noff, 183 sizeof(_iph), &_iph); 184 if (!iph) 185 goto err; 186 187 if (ipv4_is_multicast(iph->daddr)) 188 nft_reg_store8(dest, PACKET_MULTICAST); 189 else 190 nft_reg_store8(dest, PACKET_BROADCAST); 191 192 break; 193 } 194 case htons(ETH_P_IPV6): 195 nft_reg_store8(dest, PACKET_MULTICAST); 196 break; 197 default: 198 WARN_ON_ONCE(1); 199 goto err; 200 } 201 break; 202 default: 203 WARN_ON_ONCE(1); 204 goto err; 205 } 206 break; 207 case NFT_META_CPU: 208 *dest = raw_smp_processor_id(); 209 break; 210 case NFT_META_IIFGROUP: 211 if (in == NULL) 212 goto err; 213 *dest = in->group; 214 break; 215 case NFT_META_OIFGROUP: 216 if (out == NULL) 217 goto err; 218 *dest = out->group; 219 break; 220 #ifdef CONFIG_CGROUP_NET_CLASSID 221 case NFT_META_CGROUP: 222 sk = skb_to_full_sk(skb); 223 if (!sk || !sk_fullsock(sk) || 224 !net_eq(nft_net(pkt), sock_net(sk))) 225 goto err; 226 *dest = sock_cgroup_classid(&sk->sk_cgrp_data); 227 break; 228 #endif 229 case NFT_META_PRANDOM: { 230 struct rnd_state *state = this_cpu_ptr(&nft_prandom_state); 231 *dest = prandom_u32_state(state); 232 break; 233 } 234 #ifdef CONFIG_XFRM 235 case NFT_META_SECPATH: 236 nft_reg_store8(dest, secpath_exists(skb)); 237 break; 238 #endif 239 case NFT_META_IIFKIND: 240 if (in == NULL || in->rtnl_link_ops == NULL) 241 goto err; 242 strncpy((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ); 243 break; 244 case NFT_META_OIFKIND: 245 if (out == NULL || out->rtnl_link_ops == NULL) 246 goto err; 247 strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ); 248 break; 249 case NFT_META_TIME_NS: 250 nft_reg_store64(dest, ktime_get_real_ns()); 251 break; 252 case NFT_META_TIME_DAY: 253 nft_reg_store8(dest, nft_meta_weekday(get_seconds())); 254 break; 255 case NFT_META_TIME_HOUR: 256 *dest = nft_meta_hour(get_seconds()); 257 break; 258 default: 259 WARN_ON(1); 260 goto err; 261 } 262 return; 263 264 err: 265 regs->verdict.code = NFT_BREAK; 266 } 267 EXPORT_SYMBOL_GPL(nft_meta_get_eval); 268 269 void nft_meta_set_eval(const struct nft_expr *expr, 270 struct nft_regs *regs, 271 const struct nft_pktinfo *pkt) 272 { 273 const struct nft_meta *meta = nft_expr_priv(expr); 274 struct sk_buff *skb = pkt->skb; 275 u32 *sreg = ®s->data[meta->sreg]; 276 u32 value = *sreg; 277 u8 value8; 278 279 switch (meta->key) { 280 case NFT_META_MARK: 281 skb->mark = value; 282 break; 283 case NFT_META_PRIORITY: 284 skb->priority = value; 285 break; 286 case NFT_META_PKTTYPE: 287 value8 = nft_reg_load8(sreg); 288 289 if (skb->pkt_type != value8 && 290 skb_pkt_type_ok(value8) && 291 skb_pkt_type_ok(skb->pkt_type)) 292 skb->pkt_type = value8; 293 break; 294 case NFT_META_NFTRACE: 295 value8 = nft_reg_load8(sreg); 296 297 skb->nf_trace = !!value8; 298 break; 299 #ifdef CONFIG_NETWORK_SECMARK 300 case NFT_META_SECMARK: 301 skb->secmark = value; 302 break; 303 #endif 304 default: 305 WARN_ON(1); 306 } 307 } 308 EXPORT_SYMBOL_GPL(nft_meta_set_eval); 309 310 const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = { 311 [NFTA_META_DREG] = { .type = NLA_U32 }, 312 [NFTA_META_KEY] = { .type = NLA_U32 }, 313 [NFTA_META_SREG] = { .type = NLA_U32 }, 314 }; 315 EXPORT_SYMBOL_GPL(nft_meta_policy); 316 317 int nft_meta_get_init(const struct nft_ctx *ctx, 318 const struct nft_expr *expr, 319 const struct nlattr * const tb[]) 320 { 321 struct nft_meta *priv = nft_expr_priv(expr); 322 unsigned int len; 323 324 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY])); 325 switch (priv->key) { 326 case NFT_META_PROTOCOL: 327 case NFT_META_IIFTYPE: 328 case NFT_META_OIFTYPE: 329 len = sizeof(u16); 330 break; 331 case NFT_META_NFPROTO: 332 case NFT_META_L4PROTO: 333 case NFT_META_LEN: 334 case NFT_META_PRIORITY: 335 case NFT_META_MARK: 336 case NFT_META_IIF: 337 case NFT_META_OIF: 338 case NFT_META_SKUID: 339 case NFT_META_SKGID: 340 #ifdef CONFIG_IP_ROUTE_CLASSID 341 case NFT_META_RTCLASSID: 342 #endif 343 #ifdef CONFIG_NETWORK_SECMARK 344 case NFT_META_SECMARK: 345 #endif 346 case NFT_META_PKTTYPE: 347 case NFT_META_CPU: 348 case NFT_META_IIFGROUP: 349 case NFT_META_OIFGROUP: 350 #ifdef CONFIG_CGROUP_NET_CLASSID 351 case NFT_META_CGROUP: 352 #endif 353 len = sizeof(u32); 354 break; 355 case NFT_META_IIFNAME: 356 case NFT_META_OIFNAME: 357 case NFT_META_IIFKIND: 358 case NFT_META_OIFKIND: 359 len = IFNAMSIZ; 360 break; 361 case NFT_META_PRANDOM: 362 prandom_init_once(&nft_prandom_state); 363 len = sizeof(u32); 364 break; 365 #ifdef CONFIG_XFRM 366 case NFT_META_SECPATH: 367 len = sizeof(u8); 368 break; 369 #endif 370 case NFT_META_TIME_NS: 371 len = sizeof(u64); 372 break; 373 case NFT_META_TIME_DAY: 374 len = sizeof(u8); 375 break; 376 case NFT_META_TIME_HOUR: 377 len = sizeof(u32); 378 break; 379 default: 380 return -EOPNOTSUPP; 381 } 382 383 priv->dreg = nft_parse_register(tb[NFTA_META_DREG]); 384 return nft_validate_register_store(ctx, priv->dreg, NULL, 385 NFT_DATA_VALUE, len); 386 } 387 EXPORT_SYMBOL_GPL(nft_meta_get_init); 388 389 static int nft_meta_get_validate(const struct nft_ctx *ctx, 390 const struct nft_expr *expr, 391 const struct nft_data **data) 392 { 393 #ifdef CONFIG_XFRM 394 const struct nft_meta *priv = nft_expr_priv(expr); 395 unsigned int hooks; 396 397 if (priv->key != NFT_META_SECPATH) 398 return 0; 399 400 switch (ctx->family) { 401 case NFPROTO_NETDEV: 402 hooks = 1 << NF_NETDEV_INGRESS; 403 break; 404 case NFPROTO_IPV4: 405 case NFPROTO_IPV6: 406 case NFPROTO_INET: 407 hooks = (1 << NF_INET_PRE_ROUTING) | 408 (1 << NF_INET_LOCAL_IN) | 409 (1 << NF_INET_FORWARD); 410 break; 411 default: 412 return -EOPNOTSUPP; 413 } 414 415 return nft_chain_validate_hooks(ctx->chain, hooks); 416 #else 417 return 0; 418 #endif 419 } 420 421 int nft_meta_set_validate(const struct nft_ctx *ctx, 422 const struct nft_expr *expr, 423 const struct nft_data **data) 424 { 425 struct nft_meta *priv = nft_expr_priv(expr); 426 unsigned int hooks; 427 428 if (priv->key != NFT_META_PKTTYPE) 429 return 0; 430 431 switch (ctx->family) { 432 case NFPROTO_BRIDGE: 433 hooks = 1 << NF_BR_PRE_ROUTING; 434 break; 435 case NFPROTO_NETDEV: 436 hooks = 1 << NF_NETDEV_INGRESS; 437 break; 438 case NFPROTO_IPV4: 439 case NFPROTO_IPV6: 440 case NFPROTO_INET: 441 hooks = 1 << NF_INET_PRE_ROUTING; 442 break; 443 default: 444 return -EOPNOTSUPP; 445 } 446 447 return nft_chain_validate_hooks(ctx->chain, hooks); 448 } 449 EXPORT_SYMBOL_GPL(nft_meta_set_validate); 450 451 int nft_meta_set_init(const struct nft_ctx *ctx, 452 const struct nft_expr *expr, 453 const struct nlattr * const tb[]) 454 { 455 struct nft_meta *priv = nft_expr_priv(expr); 456 unsigned int len; 457 int err; 458 459 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY])); 460 switch (priv->key) { 461 case NFT_META_MARK: 462 case NFT_META_PRIORITY: 463 #ifdef CONFIG_NETWORK_SECMARK 464 case NFT_META_SECMARK: 465 #endif 466 len = sizeof(u32); 467 break; 468 case NFT_META_NFTRACE: 469 len = sizeof(u8); 470 break; 471 case NFT_META_PKTTYPE: 472 len = sizeof(u8); 473 break; 474 default: 475 return -EOPNOTSUPP; 476 } 477 478 priv->sreg = nft_parse_register(tb[NFTA_META_SREG]); 479 err = nft_validate_register_load(priv->sreg, len); 480 if (err < 0) 481 return err; 482 483 if (priv->key == NFT_META_NFTRACE) 484 static_branch_inc(&nft_trace_enabled); 485 486 return 0; 487 } 488 EXPORT_SYMBOL_GPL(nft_meta_set_init); 489 490 int nft_meta_get_dump(struct sk_buff *skb, 491 const struct nft_expr *expr) 492 { 493 const struct nft_meta *priv = nft_expr_priv(expr); 494 495 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key))) 496 goto nla_put_failure; 497 if (nft_dump_register(skb, NFTA_META_DREG, priv->dreg)) 498 goto nla_put_failure; 499 return 0; 500 501 nla_put_failure: 502 return -1; 503 } 504 EXPORT_SYMBOL_GPL(nft_meta_get_dump); 505 506 int nft_meta_set_dump(struct sk_buff *skb, const struct nft_expr *expr) 507 { 508 const struct nft_meta *priv = nft_expr_priv(expr); 509 510 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key))) 511 goto nla_put_failure; 512 if (nft_dump_register(skb, NFTA_META_SREG, priv->sreg)) 513 goto nla_put_failure; 514 515 return 0; 516 517 nla_put_failure: 518 return -1; 519 } 520 EXPORT_SYMBOL_GPL(nft_meta_set_dump); 521 522 void nft_meta_set_destroy(const struct nft_ctx *ctx, 523 const struct nft_expr *expr) 524 { 525 const struct nft_meta *priv = nft_expr_priv(expr); 526 527 if (priv->key == NFT_META_NFTRACE) 528 static_branch_dec(&nft_trace_enabled); 529 } 530 EXPORT_SYMBOL_GPL(nft_meta_set_destroy); 531 532 static int nft_meta_get_offload(struct nft_offload_ctx *ctx, 533 struct nft_flow_rule *flow, 534 const struct nft_expr *expr) 535 { 536 const struct nft_meta *priv = nft_expr_priv(expr); 537 struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; 538 539 switch (priv->key) { 540 case NFT_META_PROTOCOL: 541 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, n_proto, 542 sizeof(__u16), reg); 543 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK); 544 break; 545 case NFT_META_L4PROTO: 546 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto, 547 sizeof(__u8), reg); 548 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT); 549 break; 550 default: 551 return -EOPNOTSUPP; 552 } 553 554 return 0; 555 } 556 557 static const struct nft_expr_ops nft_meta_get_ops = { 558 .type = &nft_meta_type, 559 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)), 560 .eval = nft_meta_get_eval, 561 .init = nft_meta_get_init, 562 .dump = nft_meta_get_dump, 563 .validate = nft_meta_get_validate, 564 .offload = nft_meta_get_offload, 565 }; 566 567 static const struct nft_expr_ops nft_meta_set_ops = { 568 .type = &nft_meta_type, 569 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)), 570 .eval = nft_meta_set_eval, 571 .init = nft_meta_set_init, 572 .destroy = nft_meta_set_destroy, 573 .dump = nft_meta_set_dump, 574 .validate = nft_meta_set_validate, 575 }; 576 577 static const struct nft_expr_ops * 578 nft_meta_select_ops(const struct nft_ctx *ctx, 579 const struct nlattr * const tb[]) 580 { 581 if (tb[NFTA_META_KEY] == NULL) 582 return ERR_PTR(-EINVAL); 583 584 if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG]) 585 return ERR_PTR(-EINVAL); 586 587 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) && IS_MODULE(CONFIG_NFT_BRIDGE_META) 588 if (ctx->family == NFPROTO_BRIDGE) 589 return ERR_PTR(-EAGAIN); 590 #endif 591 if (tb[NFTA_META_DREG]) 592 return &nft_meta_get_ops; 593 594 if (tb[NFTA_META_SREG]) 595 return &nft_meta_set_ops; 596 597 return ERR_PTR(-EINVAL); 598 } 599 600 struct nft_expr_type nft_meta_type __read_mostly = { 601 .name = "meta", 602 .select_ops = nft_meta_select_ops, 603 .policy = nft_meta_policy, 604 .maxattr = NFTA_META_MAX, 605 .owner = THIS_MODULE, 606 }; 607 608 #ifdef CONFIG_NETWORK_SECMARK 609 struct nft_secmark { 610 u32 secid; 611 char *ctx; 612 }; 613 614 static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { 615 [NFTA_SECMARK_CTX] = { .type = NLA_STRING, .len = NFT_SECMARK_CTX_MAXLEN }, 616 }; 617 618 static int nft_secmark_compute_secid(struct nft_secmark *priv) 619 { 620 u32 tmp_secid = 0; 621 int err; 622 623 err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); 624 if (err) 625 return err; 626 627 if (!tmp_secid) 628 return -ENOENT; 629 630 err = security_secmark_relabel_packet(tmp_secid); 631 if (err) 632 return err; 633 634 priv->secid = tmp_secid; 635 return 0; 636 } 637 638 static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs, 639 const struct nft_pktinfo *pkt) 640 { 641 const struct nft_secmark *priv = nft_obj_data(obj); 642 struct sk_buff *skb = pkt->skb; 643 644 skb->secmark = priv->secid; 645 } 646 647 static int nft_secmark_obj_init(const struct nft_ctx *ctx, 648 const struct nlattr * const tb[], 649 struct nft_object *obj) 650 { 651 struct nft_secmark *priv = nft_obj_data(obj); 652 int err; 653 654 if (tb[NFTA_SECMARK_CTX] == NULL) 655 return -EINVAL; 656 657 priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL); 658 if (!priv->ctx) 659 return -ENOMEM; 660 661 err = nft_secmark_compute_secid(priv); 662 if (err) { 663 kfree(priv->ctx); 664 return err; 665 } 666 667 security_secmark_refcount_inc(); 668 669 return 0; 670 } 671 672 static int nft_secmark_obj_dump(struct sk_buff *skb, struct nft_object *obj, 673 bool reset) 674 { 675 struct nft_secmark *priv = nft_obj_data(obj); 676 int err; 677 678 if (nla_put_string(skb, NFTA_SECMARK_CTX, priv->ctx)) 679 return -1; 680 681 if (reset) { 682 err = nft_secmark_compute_secid(priv); 683 if (err) 684 return err; 685 } 686 687 return 0; 688 } 689 690 static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 691 { 692 struct nft_secmark *priv = nft_obj_data(obj); 693 694 security_secmark_refcount_dec(); 695 696 kfree(priv->ctx); 697 } 698 699 static const struct nft_object_ops nft_secmark_obj_ops = { 700 .type = &nft_secmark_obj_type, 701 .size = sizeof(struct nft_secmark), 702 .init = nft_secmark_obj_init, 703 .eval = nft_secmark_obj_eval, 704 .dump = nft_secmark_obj_dump, 705 .destroy = nft_secmark_obj_destroy, 706 }; 707 struct nft_object_type nft_secmark_obj_type __read_mostly = { 708 .type = NFT_OBJECT_SECMARK, 709 .ops = &nft_secmark_obj_ops, 710 .maxattr = NFTA_SECMARK_MAX, 711 .policy = nft_secmark_policy, 712 .owner = THIS_MODULE, 713 }; 714 #endif /* CONFIG_NETWORK_SECMARK */ 715