From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Date: Thu, 06 Jan 2011 02:56:33 +0100 > In 1ae4de0cdf855305765592647025bde55e85e451, the secctx was exported > via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces > instead of the secmark. > > That patch introduced the use of security_secid_to_secctx() which may > return a non-zero value on error. > > In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no > security modules. Thus, security_secid_to_secctx() returns a negative > value that results in the breakage of the /proc and `conntrack -L' > outputs. To fix this, we skip the inclusion of secctx if the > aforementioned function fails. > > This patch also fixes the dynamic netlink message size calculation > if security_secid_to_secctx() returns an error, since its logic is > also wrong. > > This problem exists in Linux kernel >= 2.6.37. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Applied, thanks Pablo. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
