| Message ID | 20200512171018.16871-1-phil@nwl.cc |
|---|---|
| Headers | show |
| Series | Fix SECMARK target comparison | expand |
On Tue, May 12, 2020 at 07:10:15PM +0200, Phil Sutter wrote: > The kernel sets struct secmark_target_info->secid, so target comparison > in user space failed every time. Given that target data comparison > happens in libiptc, fixing this is a bit harder than just adding a cmp() > callback to struct xtables_target. Instead, allow for targets to write > the matchmask bits for their private data themselves and account for > that in both legacy and nft code. Then make use of the new > infrastructure to fix libxt_SECMARK. Hm, -D and -C with SECMARK are broken since the beginning. Another possible would be to fix the kernel to update the layout, to get it aligned with other existing extensions.
Hi Pablo, On Thu, May 14, 2020 at 02:23:28PM +0200, Pablo Neira Ayuso wrote: > On Tue, May 12, 2020 at 07:10:15PM +0200, Phil Sutter wrote: > > The kernel sets struct secmark_target_info->secid, so target comparison > > in user space failed every time. Given that target data comparison > > happens in libiptc, fixing this is a bit harder than just adding a cmp() > > callback to struct xtables_target. Instead, allow for targets to write > > the matchmask bits for their private data themselves and account for > > that in both legacy and nft code. Then make use of the new > > infrastructure to fix libxt_SECMARK. > > Hm, -D and -C with SECMARK are broken since the beginning. Yes, sadly. > Another possible would be to fix the kernel to update the layout, to > get it aligned with other existing extensions. You mean using 'usersize' just like e.g. xt_bpf.c? One advantage of my fix is it works with old kernels as well. Cheers, Phil
The kernel sets struct secmark_target_info->secid, so target comparison in user space failed every time. Given that target data comparison happens in libiptc, fixing this is a bit harder than just adding a cmp() callback to struct xtables_target. Instead, allow for targets to write the matchmask bits for their private data themselves and account for that in both legacy and nft code. Then make use of the new infrastructure to fix libxt_SECMARK. Phil Sutter (3): xshared: Share make_delete_mask() between ip{,6}tables libxtables: Introduce 'matchmask' target callback libxt_SECMARK: Fix for failing target comparison configure.ac | 4 ++-- extensions/libxt_SECMARK.c | 10 ++++++++++ extensions/libxt_SECMARK.t | 4 ++++ include/xtables.h | 3 +++ iptables/ip6tables.c | 38 ++------------------------------------ iptables/iptables.c | 38 ++------------------------------------ iptables/nft-shared.c | 15 ++++++++++++++- iptables/xshared.c | 38 ++++++++++++++++++++++++++++++++++++++ iptables/xshared.h | 4 ++++ 9 files changed, 79 insertions(+), 75 deletions(-) create mode 100644 extensions/libxt_SECMARK.t