On 9/20/10 5:42 AM, Mr Dash Four wrote:
> The output of SECMARK_print is seen when I list the mangle table with
> iptables ('iptables -t mangle -L -n' for example) and there is the
> SELinux context in full view as I originally registered the rule match
> with. So, if I am to kindly ask the devs maintaining the iptables code
> to change the above function to include the following line:
>
> printf("selctx %s [%u]", info->u.sel.selctx,info->u.sel.selsid);\
>
> instead of:
>
> printf("selctx %s ", info->u.sel.selctx);\
>
That breaks iptables-save/-restore. The attached patch does not.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
--- libxt_SECMARK.c~ 2009-06-16 07:37:44.000000000 -0700
+++ libxt_SECMARK.c 2010-09-20 11:57:58.000000000 -0700
@@ -65,7 +65,7 @@
{
switch (info->mode) {
case SECMARK_MODE_SEL:
- printf("selctx %s ", info->u.sel.selctx);\
+ printf("selctx %s [%u] ", info->u.sel.selctx, info->u.sel.selsid);
break;
default:
@@ -83,13 +83,25 @@
print_secmark(info);
}
+static void save_secmark(const struct xt_secmark_target_info *info)
+{
+ switch (info->mode) {
+ case SECMARK_MODE_SEL:
+ printf("selctx %s ", info->u.sel.selctx);\
+ break;
+
+ default:
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+ }
+}
+
static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_secmark_target_info *info =
(struct xt_secmark_target_info*)target->data;
printf("--");
- print_secmark(info);
+ save_secmark(info);
}
static struct xtables_target secmark_target = {
Attachment:
signature.asc
Description: OpenPGP digital signature
