summaryrefslogtreecommitdiff
path: root/security/lsm_audit.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2021-02-15 12:28:07 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2021-02-15 18:17:15 +0100
commit6001a930ce0378b62210d4f83583fc88a903d89d (patch)
treedb2b5e9f51bac22a1192ac6e526204c57799c21a /security/lsm_audit.c
parent00dfe9bebdf09c37827fb71db89c66a396f1a38c (diff)
netfilter: nftables: introduce table ownership
A userspace daemon like firewalld might need to monitor for netlink updates to detect its ruleset removal by the (global) flush ruleset command to ensure ruleset persistency. This adds extra complexity from userspace and, for some little time, the firewall policy is not in place. This patch adds the NFT_TABLE_F_OWNER flag which allows a userspace program to own the table that creates in exclusivity. Tables that are owned... - can only be updated and removed by the owner, non-owners hit EPERM if they try to update it or remove it. - are destroyed when the owner closes the netlink socket or the process is gone (implicit netlink socket closure). - are skipped by the global flush ruleset command. - are listed in the global ruleset. The userspace process that sets on the NFT_TABLE_F_OWNER flag need to leave open the netlink socket. A new NFTA_TABLE_OWNER netlink attribute specifies the netlink port ID to identify the owner from userspace. This patch also updates error reporting when an unknown table flag is specified to change it from EINVAL to EOPNOTSUPP given that EINVAL is usually reserved to report for malformed netlink messages to userspace. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'security/lsm_audit.c')
0 files changed, 0 insertions, 0 deletions