On Tue, Sep 18, 2018 at 12:23:42PM +0200, Pablo Neira Ayuso wrote: > On Tue, Sep 18, 2018 at 02:56:02AM +0200, Florian Westphal wrote: [...] > > We'd need a new NFT_OBJECT_SELCTX in kernel, that gets the security > > label and can do the conversion to the 32bit id. > > > > This would live in nft_meta.c, similar to nft_ct_helper_obj_type living > > in nft_ct.c . > > > > static struct nft_object_ops nft_selctx_obj_type; > > > > 1. policy that gets the NLA_STRING > > 2. init() function that convers string -> id > > 3. dump() function that dumps string back to userspace > > 4. eval() function that sets skb->secmark = priv->id; BTW, we can likely follow the same approach with cgroups v2 support, not that we need this now, just to keep it in mind.
