bugzilla-daemon at netfilter.org
2024-Apr-18 20:35 UTC
[Bug 1749] New: netfilter/nftables secmark support limited to 255 bytes
https://bugzilla.netfilter.org/show_bug.cgi?id=1749
Bug ID: 1749
Summary: netfilter/nftables secmark support limited to 255
bytes
Product: netfilter/iptables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: unknown
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: joe at nall.com
The kernel and nftables userspace are both limited to 255 byte
(NFT_SECMARK_CTX_MAXLEN) SELinux secmark contexts.
If we start with 44 characters of non category SELinux packet context
system_u:object_r:http_client_packet_t:s10:
we are left with 211 bytes for category bit representation.
If we are using 1024 category bits, it could take 5 bytes for each bit if they
are spread out
c100,c123,c201,...
This only gives us 42 usable category bits worst case.
We have real world SELinux contexts that don't fit in 255 bytes. We sorted
this
out in Labeled IPSec and netlabel years ago but had not tried to used secmark
until recently.
Is it possible to increase this limit to 4k or remove the explicit limit
entirely?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240418/394d7bfc/attachment.html>
bugzilla-daemon at netfilter.org
2024-Apr-21 20:24 UTC
[Bug 1749] netfilter/nftables secmark support limited to 255 bytes
https://bugzilla.netfilter.org/show_bug.cgi?id=1749
paul at paul-moore.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |paul at paul-moore.com
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240421/1a6110e8/attachment.html>
bugzilla-daemon at netfilter.org
2024-Jun-03 17:55 UTC
[Bug 1749] netfilter/nftables secmark support limited to 255 bytes
https://bugzilla.netfilter.org/show_bug.cgi?id=1749
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to joe from comment #0)> The kernel and nftables userspace are both limited to 255 byte
> (NFT_SECMARK_CTX_MAXLEN) SELinux secmark contexts.
iptables has capped secctx:
#define SECMARK_SECCTX_MAX 256
> Is it possible to increase this limit to 4k or remove the explicit limit
> entirely?
Yes, it is indeed a oneliner:
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index aa4094ca2444..639894ed1b97 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1376,7 +1376,7 @@ enum nft_secmark_attributes {
#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
/* Max security context length */
-#define NFT_SECMARK_CTX_MAXLEN 256
+#define NFT_SECMARK_CTX_MAXLEN 4096
/**
* enum nft_reject_types - nf_tables reject expression reject types
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240603/37de581d/attachment.html>
bugzilla-daemon at netfilter.org
2024-Jun-03 18:19 UTC
[Bug 1749] netfilter/nftables secmark support limited to 255 bytes
https://bugzilla.netfilter.org/show_bug.cgi?id=1749 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- I have posted this patch: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240603181659.5998-1-pablo at netfilter.org/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240603/53cd5806/attachment.html>