[Bug 1749] New: netfilter/nftables secmark support limited to 255 bytes

Thu Apr 18 22:35:56 CEST 2024

https://bugzilla.netfilter.org/show_bug.cgi?id=1749

            Bug ID: 1749
           Summary: netfilter/nftables secmark support limited to 255
                    bytes
           Product: netfilter/iptables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: unknown
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: joe at nall.com

The kernel and nftables userspace are both limited to 255 byte
(NFT_SECMARK_CTX_MAXLEN) SELinux secmark contexts.

If we start with 44 characters of non category SELinux packet context

 system_u:object_r:http_client_packet_t:s10:

we are left with 211 bytes for category bit representation.

If we are using 1024 category bits, it could take 5 bytes for each bit if they
are spread out

 c100,c123,c201,...

This only gives us 42 usable category bits worst case.

We have real world SELinux contexts that don't fit in 255 bytes. We sorted this
out in Labeled IPSec and netlabel years ago but had not tried to used secmark
until recently.

Is it possible to increase this limit to 4k or remove the explicit limit
entirely?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240418/394d7bfc/attachment.html>