From patchwork Tue May 12 17:10:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1288640 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 49M47Z69Z7z9sPF for ; Wed, 13 May 2020 03:10:34 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726300AbgELRKe (ORCPT ); Tue, 12 May 2020 13:10:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725938AbgELRKe (ORCPT ); Tue, 12 May 2020 13:10:34 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 27F88C061A0C for ; Tue, 12 May 2020 10:10:34 -0700 (PDT) Received: from localhost ([::1]:45480 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1jYYQK-00026F-Qj; Tue, 12 May 2020 19:10:32 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 3/3] libxt_SECMARK: Fix for failing target comparison Date: Tue, 12 May 2020 19:10:18 +0200 Message-Id: <20200512171018.16871-4-phil@nwl.cc> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200512171018.16871-1-phil@nwl.cc> References: <20200512171018.16871-1-phil@nwl.cc> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org The kernel fills in structxt_secmark_target_info->secid, so when the rule is received from kernel it won't match a newly created one. This prevented delete by rulespec and check commands. Make use of newly introduced matchmask callback to prepare a mask which explicitly excludes the secid field. Signed-off-by: Phil Sutter --- extensions/libxt_SECMARK.c | 10 ++++++++++ extensions/libxt_SECMARK.t | 4 ++++ 2 files changed, 14 insertions(+) create mode 100644 extensions/libxt_SECMARK.t diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c index 6ba8606355daa..e9fd133642f00 100644 --- a/extensions/libxt_SECMARK.c +++ b/extensions/libxt_SECMARK.c @@ -6,6 +6,7 @@ * Copyright (C) 2006 Red Hat, Inc., James Morris */ #include +#include #include #include @@ -68,6 +69,14 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target) print_secmark(info); } +static void SECMARK_matchmask(void *mask) +{ + struct xt_secmark_target_info *info = mask; + + memset(mask, 0xFF, XT_ALIGN(sizeof(struct xt_secmark_target_info))); + info->secid = 0; +} + static struct xtables_target secmark_target = { .family = NFPROTO_UNSPEC, .name = "SECMARK", @@ -80,6 +89,7 @@ static struct xtables_target secmark_target = { .save = SECMARK_save, .x6_parse = SECMARK_parse, .x6_options = SECMARK_opts, + .matchmask = SECMARK_matchmask, }; void _init(void) diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t new file mode 100644 index 0000000000000..39d4c09348bf4 --- /dev/null +++ b/extensions/libxt_SECMARK.t @@ -0,0 +1,4 @@ +:INPUT,FORWARD,OUTPUT +*security +-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK +-j SECMARK;;FAIL