Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Simplest version is to merge your patch into nft_meta.c, in the > > "set" part, and make the init() function translate it to the 32bit > > immedidate, this would pretty much look like your patch. > > Doesn't this conflict with the fact that e.g. reloading the SELinux > policy invalidates the string <-> id relation? > As far as i dug into the code it has to happen in the eval step. Hmm, if thats the case xt_SECMARK is buggy because it does it during rule add time. > > I think the best solution would be to add objref support for the > > selctx names. > > > > We'd need a new NFT_OBJECT_SELCTX in kernel, that gets the security > > label and can do the conversion to the 32bit id. > > > > This would live in nft_meta.c, similar to nft_ct_helper_obj_type living > > in nft_ct.c . > > > > static struct nft_object_ops nft_selctx_obj_type; > > > > 1. policy that gets the NLA_STRING > > 2. init() function that convers string -> id > > 3. dump() function that dumps string back to userspace > > 4. eval() function that sets skb->secmark = priv->id; > > As far as i understand the code, these object-types are for states, > like quota or counters. > How does SECMARK fit into this, why is such an object necessary? I would prefer not to fall into the iptables problem and have one rule to assign each security label. We can't pass a string in map case, input comes from a register (result of map lookup) and size of the strings are too big (256 byte vs. 64) to use them directly. With object infra, we can reference the object (the security label id) via an nftables object name.
