Currently the nfconntrack export code sends the kernel internal secid to userspace in a couple of proc files and over netlink as an integer. This is wrong. This number is a kernel internal. This patch changes the export code to output either 0 or 1 for this value. A future patch will implement sending the name rather than the number in a new field. Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> --- .../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 2 +- net/netfilter/nf_conntrack_netlink.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c index 244f7cb..053d7d3 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c @@ -149,7 +149,7 @@ static int ct_seq_show(struct seq_file *s, void *v) #endif #ifdef CONFIG_NF_CONNTRACK_SECMARK - if (seq_printf(s, "secmark=%u ", ct->secmark)) + if (seq_printf(s, "secmark=%u ", ct->secmark ? 1 : 0)) goto release; #endif diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 5bae1cd..3a50699 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -247,7 +247,7 @@ nla_put_failure: static inline int ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct) { - NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark)); + NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark ? 1 : 0)); return 0; nla_put_failure: diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index eb973fc..a5761d3 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -169,7 +169,7 @@ static int ct_seq_show(struct seq_file *s, void *v) #endif #ifdef CONFIG_NF_CONNTRACK_SECMARK - if (seq_printf(s, "secmark=%u ", ct->secmark)) + if (seq_printf(s, "secmark=%u ", ct->secmark ? 1 : 0)) goto release; #endif -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.