Re: SECMARK support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Many thanks, now I think I understand the desired behavior with the
helper objects.

Now the following works:

$ nft add secmark inet filter sshtag
\"system_u:object_r:ssh_server_packet_t:s0\"
$ nft add rule inet filter input tcp dport 22 meta secmark set sshtag
$ nft add map inet filter secmapping { type inet_service : secmark_tag \; }
$ nft add element inet filter secmapping { 22 : sshtag }
$  nft list ruleset
table inet filter {
        secmark sshtag {
                system_u:object_r:ssh_server_packet_t:s0
        }

        map secmapping {
                type inet_service : secmark_tag
                elements = { ssh : "sshtag" }
        }

        chain input {
                type filter hook input priority 0; policy accept;
                tcp dport ssh secmark name "sshtag"
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}

But the complex case does not work yet:
$ nft add rule inet filter input meta secmark set tcp dport map @secmapping
Error: Expression is not a map
add rule inet filter input meta secmark set tcp dport map @secmapping
                                                          ^^^^^^^^^^^

even though it is a map:
$ nft list map inet filter secmapping
table inet filter {
        map secmapping {
                type inet_service : secmark_tag
                elements = { ssh : "sshtag" }
        }
}


Any ideas?



Best regards
      Christian Göttsche




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux