On 9/20/10 5:42 AM, Mr Dash Four wrote: > The output of SECMARK_print is seen when I list the mangle table with > iptables ('iptables -t mangle -L -n' for example) and there is the > SELinux context in full view as I originally registered the rule match > with. So, if I am to kindly ask the devs maintaining the iptables code > to change the above function to include the following line: > > printf("selctx %s [%u]", info->u.sel.selctx,info->u.sel.selsid);\ > > instead of: > > printf("selctx %s ", info->u.sel.selctx);\ > That breaks iptables-save/-restore. The attached patch does not. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
--- libxt_SECMARK.c~ 2009-06-16 07:37:44.000000000 -0700 +++ libxt_SECMARK.c 2010-09-20 11:57:58.000000000 -0700 @@ -65,7 +65,7 @@ { switch (info->mode) { case SECMARK_MODE_SEL: - printf("selctx %s ", info->u.sel.selctx);\ + printf("selctx %s [%u] ", info->u.sel.selctx, info->u.sel.selsid); break; default: @@ -83,13 +83,25 @@ print_secmark(info); } +static void save_secmark(const struct xt_secmark_target_info *info) +{ + switch (info->mode) { + case SECMARK_MODE_SEL: + printf("selctx %s ", info->u.sel.selctx);\ + break; + + default: + xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); + } +} + static void SECMARK_save(const void *ip, const struct xt_entry_target *target) { const struct xt_secmark_target_info *info = (struct xt_secmark_target_info*)target->data; printf("--"); - print_secmark(info); + save_secmark(info); } static struct xtables_target secmark_target = {
Attachment:
signature.asc
Description: OpenPGP digital signature