> Simplest version is to merge your patch into nft_meta.c, in the > "set" part, and make the init() function translate it to the 32bit > immedidate, this would pretty much look like your patch. Doesn't this conflict with the fact that e.g. reloading the SELinux policy invalidates the string <-> id relation? As far as i dug into the code it has to happen in the eval step. > I think the best solution would be to add objref support for the > selctx names. > > We'd need a new NFT_OBJECT_SELCTX in kernel, that gets the security > label and can do the conversion to the 32bit id. > > This would live in nft_meta.c, similar to nft_ct_helper_obj_type living > in nft_ct.c . > > static struct nft_object_ops nft_selctx_obj_type; > > 1. policy that gets the NLA_STRING > 2. init() function that convers string -> id > 3. dump() function that dumps string back to userspace > 4. eval() function that sets skb->secmark = priv->id; As far as i understand the code, these object-types are for states, like quota or counters. How does SECMARK fit into this, why is such an object necessary?
