From patchwork Tue May 12 17:10:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1288641 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 49M47g6Hjzz9sPF for ; Wed, 13 May 2020 03:10:39 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726465AbgELRKj (ORCPT ); Tue, 12 May 2020 13:10:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725938AbgELRKj (ORCPT ); Tue, 12 May 2020 13:10:39 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6520CC061A0C for ; Tue, 12 May 2020 10:10:39 -0700 (PDT) Received: from localhost ([::1]:45486 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1jYYQQ-00026h-8i; Tue, 12 May 2020 19:10:38 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 0/3] Fix SECMARK target comparison Date: Tue, 12 May 2020 19:10:15 +0200 Message-Id: <20200512171018.16871-1-phil@nwl.cc> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org The kernel sets struct secmark_target_info->secid, so target comparison in user space failed every time. Given that target data comparison happens in libiptc, fixing this is a bit harder than just adding a cmp() callback to struct xtables_target. Instead, allow for targets to write the matchmask bits for their private data themselves and account for that in both legacy and nft code. Then make use of the new infrastructure to fix libxt_SECMARK. Phil Sutter (3): xshared: Share make_delete_mask() between ip{,6}tables libxtables: Introduce 'matchmask' target callback libxt_SECMARK: Fix for failing target comparison configure.ac | 4 ++-- extensions/libxt_SECMARK.c | 10 ++++++++++ extensions/libxt_SECMARK.t | 4 ++++ include/xtables.h | 3 +++ iptables/ip6tables.c | 38 ++------------------------------------ iptables/iptables.c | 38 ++------------------------------------ iptables/nft-shared.c | 15 ++++++++++++++- iptables/xshared.c | 38 ++++++++++++++++++++++++++++++++++++++ iptables/xshared.h | 4 ++++ 9 files changed, 79 insertions(+), 75 deletions(-) create mode 100644 extensions/libxt_SECMARK.t