I stuck a bit with the nft cli coding.
By now the following works:
$ nft add map inet filter secmapping { type inet_service : secmark \; }
$ nft add rule inet filter input tcp dport 21 secmark
\"system_u:object_r:ftp_server_packet_t:s0\"
$ nft add rule inet filter input secmark name tcp dport map @secmapping
$ nft list ruleset
table inet filter {
map secmapping {
type inet_service : secmark
}
chain input {
type filter hook input priority 0; policy accept;
tcp dport ftp secmark "system_u:object_r:ftp_server_packet_t:s0"
secmark name tcp dport map @secmapping
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
But listing or adding an entry to the map does not work:
$ nft list map inet filter secmapping
Error: Could not process rule: No such file or directory
list map inet filter secmapping
^^^^^^^^^^
$ nft add element inet filter secmapping { 22 :
\"system_u:object_r:ssh_server_packet_t:s0\", 80 :
\"system_u:object_r:httpd_server_packet_t:s0\" }
Error: Could not process rule: No such file or directory
add element inet filter secmapping { 22 :
"system_u:object_r:ssh_server_packet_t:s0", 80 :
"system_u:object_r:httpd_server_packet_t:s0" }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Any advice? Is this syntax however sane?
Best regards
Christian Göttsche
p.s.:
kernel patch (against 4.18):
https://github.com/cgzones/secmark/blob/master/kernel.patch
libnftnl patch (against 1.1.1):
https://github.com/cgzones/secmark/blob/master/libnftnl.patch
nftables patch (against 0.9.0):
https://github.com/cgzones/secmark/blob/master/nftables.patch
