The kernel fills in structxt_secmark_target_info->secid, so when the
rule is received from kernel it won't match a newly created one. This
prevented delete by rulespec and check commands.
Make use of newly introduced matchmask callback to prepare a mask which
explicitly excludes the secid field.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
extensions/libxt_SECMARK.c | 10 ++++++++++
extensions/libxt_SECMARK.t | 4 ++++
2 files changed, 14 insertions(+)
create mode 100644 extensions/libxt_SECMARK.t
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index 6ba8606355daa..e9fd133642f00 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -6,6 +6,7 @@
* Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@xxxxxxxxxx>
*/
#include <stdio.h>
+#include <string.h>
#include <xtables.h>
#include <linux/netfilter/xt_SECMARK.h>
@@ -68,6 +69,14 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
print_secmark(info);
}
+static void SECMARK_matchmask(void *mask)
+{
+ struct xt_secmark_target_info *info = mask;
+
+ memset(mask, 0xFF, XT_ALIGN(sizeof(struct xt_secmark_target_info)));
+ info->secid = 0;
+}
+
static struct xtables_target secmark_target = {
.family = NFPROTO_UNSPEC,
.name = "SECMARK",
@@ -80,6 +89,7 @@ static struct xtables_target secmark_target = {
.save = SECMARK_save,
.x6_parse = SECMARK_parse,
.x6_options = SECMARK_opts,
+ .matchmask = SECMARK_matchmask,
};
void _init(void)
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
new file mode 100644
index 0000000000000..39d4c09348bf4
--- /dev/null
+++ b/extensions/libxt_SECMARK.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+*security
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK;;FAIL
--
2.25.1
