The kernel sets struct secmark_target_info->secid, so target comparison
in user space failed every time. Given that target data comparison
happens in libiptc, fixing this is a bit harder than just adding a cmp()
callback to struct xtables_target. Instead, allow for targets to write
the matchmask bits for their private data themselves and account for
that in both legacy and nft code. Then make use of the new
infrastructure to fix libxt_SECMARK.
Phil Sutter (3):
xshared: Share make_delete_mask() between ip{,6}tables
libxtables: Introduce 'matchmask' target callback
libxt_SECMARK: Fix for failing target comparison
configure.ac | 4 ++--
extensions/libxt_SECMARK.c | 10 ++++++++++
extensions/libxt_SECMARK.t | 4 ++++
include/xtables.h | 3 +++
iptables/ip6tables.c | 38 ++------------------------------------
iptables/iptables.c | 38 ++------------------------------------
iptables/nft-shared.c | 15 ++++++++++++++-
iptables/xshared.c | 38 ++++++++++++++++++++++++++++++++++++++
iptables/xshared.h | 4 ++++
9 files changed, 79 insertions(+), 75 deletions(-)
create mode 100644 extensions/libxt_SECMARK.t
--
2.25.1
