bugzilla-daemon at netfilter.org
2024-Apr-18 20:35 UTC
[Bug 1749] New: netfilter/nftables secmark support limited to 255 bytes
https://bugzilla.netfilter.org/show_bug.cgi?id=1749 Bug ID: 1749 Summary: netfilter/nftables secmark support limited to 255 bytes Product: netfilter/iptables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: unknown Assignee: netfilter-buglog at lists.netfilter.org Reporter: joe at nall.com The kernel and nftables userspace are both limited to 255 byte (NFT_SECMARK_CTX_MAXLEN) SELinux secmark contexts. If we start with 44 characters of non category SELinux packet context system_u:object_r:http_client_packet_t:s10: we are left with 211 bytes for category bit representation. If we are using 1024 category bits, it could take 5 bytes for each bit if they are spread out c100,c123,c201,... This only gives us 42 usable category bits worst case. We have real world SELinux contexts that don't fit in 255 bytes. We sorted this out in Labeled IPSec and netlabel years ago but had not tried to used secmark until recently. Is it possible to increase this limit to 4k or remove the explicit limit entirely? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240418/394d7bfc/attachment.html>
bugzilla-daemon at netfilter.org
2024-Apr-21 20:24 UTC
[Bug 1749] netfilter/nftables secmark support limited to 255 bytes
https://bugzilla.netfilter.org/show_bug.cgi?id=1749 paul at paul-moore.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |paul at paul-moore.com -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240421/1a6110e8/attachment.html>