Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/20/10 5:42 AM, Mr Dash Four wrote:

> The output of SECMARK_print is seen when I list the mangle table with
> iptables ('iptables -t mangle -L -n' for example) and there is the
> SELinux context in full view as I originally registered the rule match
> with. So, if I am to kindly ask the devs maintaining the iptables code
> to change the above function to include the following line:
> 
> printf("selctx %s [%u]", info->u.sel.selctx,info->u.sel.selsid);\
> 
> instead of:
> 
> printf("selctx %s ", info->u.sel.selctx);\
> 

That breaks iptables-save/-restore. The attached patch does not.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
--- libxt_SECMARK.c~	2009-06-16 07:37:44.000000000 -0700
+++ libxt_SECMARK.c	2010-09-20 11:57:58.000000000 -0700
@@ -65,7 +65,7 @@
 {
 	switch (info->mode) {
 	case SECMARK_MODE_SEL:
-		printf("selctx %s ", info->u.sel.selctx);\
+	        printf("selctx %s [%u] ", info->u.sel.selctx, info->u.sel.selsid);
 		break;
 	
 	default:
@@ -83,13 +83,25 @@
 	print_secmark(info);
 }
 
+static void save_secmark(const struct xt_secmark_target_info *info)
+{
+	switch (info->mode) {
+	case SECMARK_MODE_SEL:
+		printf("selctx %s ", info->u.sel.selctx);\
+		break;
+	
+	default:
+		xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+	}
+}
+
 static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
 {
 	const struct xt_secmark_target_info *info =
 		(struct xt_secmark_target_info*)target->data;
 
 	printf("--");
-	print_secmark(info);
+	save_secmark(info);
 }
 
 static struct xtables_target secmark_target = {

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux