connmark: Compare the complete rules when deleting them

By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).

Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.

Fixes #1229.

diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
index cd53701e898ffa61b17f21d8b96fda7acfd648de..9dde7c1c57399bbe6855d8a0f1dabdafe4925fe9 100644 (file)
--- a/src/libcharon/plugins/connmark/connmark_listener.c
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -101,7 +101,10 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
        }
        else
        {
-               if (!iptc_delete_entry(chain, e, "", ipth))
+               u_char matchmask[e->next_offset];
+
+               memset(matchmask, 255, sizeof(matchmask));
+               if (!iptc_delete_entry(chain, e, matchmask, ipth))
                {
                        DBG1(DBG_CFG, "deleting %s rule failed: %s",
                                 chain, iptc_strerror(errno));