From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH 0/3] Fix SECMARK target comparison
Date: Thu, 14 May 2020 15:09:55 +0200 [thread overview]
Message-ID: <20200514130955.GP17795@orbyte.nwl.cc> (raw)
In-Reply-To: <20200514122328.GA24661@salvia>
Hi Pablo,
On Thu, May 14, 2020 at 02:23:28PM +0200, Pablo Neira Ayuso wrote:
> On Tue, May 12, 2020 at 07:10:15PM +0200, Phil Sutter wrote:
> > The kernel sets struct secmark_target_info->secid, so target comparison
> > in user space failed every time. Given that target data comparison
> > happens in libiptc, fixing this is a bit harder than just adding a cmp()
> > callback to struct xtables_target. Instead, allow for targets to write
> > the matchmask bits for their private data themselves and account for
> > that in both legacy and nft code. Then make use of the new
> > infrastructure to fix libxt_SECMARK.
>
> Hm, -D and -C with SECMARK are broken since the beginning.
Yes, sadly.
> Another possible would be to fix the kernel to update the layout, to
> get it aligned with other existing extensions.
You mean using 'usersize' just like e.g. xt_bpf.c?
One advantage of my fix is it works with old kernels as well.
Cheers, Phil
prev parent reply other threads:[~2020-05-14 13:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-12 17:10 [iptables PATCH 0/3] Fix SECMARK target comparison Phil Sutter
2020-05-12 17:10 ` [iptables PATCH 1/3] xshared: Share make_delete_mask() between ip{,6}tables Phil Sutter
2020-05-12 17:10 ` [iptables PATCH 2/3] libxtables: Introduce 'matchmask' target callback Phil Sutter
2020-05-12 17:10 ` [iptables PATCH 3/3] libxt_SECMARK: Fix for failing target comparison Phil Sutter
2020-05-14 12:23 ` [iptables PATCH 0/3] Fix SECMARK " Pablo Neira Ayuso
2020-05-14 13:09 ` Phil Sutter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200514130955.GP17795@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.