Displaying 1 result from an estimated 1 matches for "nft_secmark_ctx_maxlen".
2024 Apr 18
3
[Bug 1749] New: netfilter/nftables secmark support limited to 255 bytes
...re: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: unknown
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: joe at nall.com
The kernel and nftables userspace are both limited to 255 byte
(NFT_SECMARK_CTX_MAXLEN) SELinux secmark contexts.
If we start with 44 characters of non category SELinux packet context
system_u:object_r:http_client_packet_t:s10:
we are left with 211 bytes for category bit representation.
If we are using 1024 category bits, it could take 5 bytes for each bit if they
are spread out...