@@ -6,6 +6,7 @@
* Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
*/
#include <stdio.h>
+#include <string.h>
#include <xtables.h>
#include <linux/netfilter/xt_SECMARK.h>
@@ -68,6 +69,14 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
print_secmark(info);
}
+static void SECMARK_matchmask(void *mask)
+{
+ struct xt_secmark_target_info *info = mask;
+
+ memset(mask, 0xFF, XT_ALIGN(sizeof(struct xt_secmark_target_info)));
+ info->secid = 0;
+}
+
static struct xtables_target secmark_target = {
.family = NFPROTO_UNSPEC,
.name = "SECMARK",
@@ -80,6 +89,7 @@ static struct xtables_target secmark_target = {
.save = SECMARK_save,
.x6_parse = SECMARK_parse,
.x6_options = SECMARK_opts,
+ .matchmask = SECMARK_matchmask,
};
void _init(void)
new file mode 100644
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+*security
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK;;FAIL
The kernel fills in structxt_secmark_target_info->secid, so when the rule is received from kernel it won't match a newly created one. This prevented delete by rulespec and check commands. Make use of newly introduced matchmask callback to prepare a mask which explicitly excludes the secid field. Signed-off-by: Phil Sutter <phil@nwl.cc> --- extensions/libxt_SECMARK.c | 10 ++++++++++ extensions/libxt_SECMARK.t | 4 ++++ 2 files changed, 14 insertions(+) create mode 100644 extensions/libxt_SECMARK.t