[Bug 1749] netfilter/nftables secmark support limited to 255 bytes
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Mon Jun 3 19:55:01 CEST 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1749
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to joe from comment #0)
> The kernel and nftables userspace are both limited to 255 byte
> (NFT_SECMARK_CTX_MAXLEN) SELinux secmark contexts.
iptables has capped secctx:
#define SECMARK_SECCTX_MAX 256
> Is it possible to increase this limit to 4k or remove the explicit limit
> entirely?
Yes, it is indeed a oneliner:
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index aa4094ca2444..639894ed1b97 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1376,7 +1376,7 @@ enum nft_secmark_attributes {
#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
/* Max security context length */
-#define NFT_SECMARK_CTX_MAXLEN 256
+#define NFT_SECMARK_CTX_MAXLEN 4096
/**
* enum nft_reject_types - nf_tables reject expression reject types
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240603/37de581d/attachment.html>
More information about the netfilter-buglog
mailing list