Hi Pablo, On Thu, May 14, 2020 at 02:23:28PM +0200, Pablo Neira Ayuso wrote: > On Tue, May 12, 2020 at 07:10:15PM +0200, Phil Sutter wrote: > > The kernel sets struct secmark_target_info->secid, so target comparison > > in user space failed every time. Given that target data comparison > > happens in libiptc, fixing this is a bit harder than just adding a cmp() > > callback to struct xtables_target. Instead, allow for targets to write > > the matchmask bits for their private data themselves and account for > > that in both legacy and nft code. Then make use of the new > > infrastructure to fix libxt_SECMARK. > > Hm, -D and -C with SECMARK are broken since the beginning. Yes, sadly. > Another possible would be to fix the kernel to update the layout, to > get it aligned with other existing extensions. You mean using 'usersize' just like e.g. xt_bpf.c? One advantage of my fix is it works with old kernels as well. Cheers, Phil
