On Tue, May 12, 2020 at 07:10:15PM +0200, Phil Sutter wrote: > The kernel sets struct secmark_target_info->secid, so target comparison > in user space failed every time. Given that target data comparison > happens in libiptc, fixing this is a bit harder than just adding a cmp() > callback to struct xtables_target. Instead, allow for targets to write > the matchmask bits for their private data themselves and account for > that in both legacy and nft code. Then make use of the new > infrastructure to fix libxt_SECMARK. Hm, -D and -C with SECMARK are broken since the beginning. Another possible would be to fix the kernel to update the layout, to get it aligned with other existing extensions.
