Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote:
> Now the following works:
>
> $ nft add secmark inet filter sshtag
> \"system_u:object_r:ssh_server_packet_t:s0\"
> $ nft add rule inet filter input tcp dport 22 meta secmark set sshtag
> $ nft add map inet filter secmapping { type inet_service : secmark_tag \; }
> $ nft add element inet filter secmapping { 22 : sshtag }
This looks great, thanks a lot.
I still would prefer to use
meta secmark set ...
but we can sort it out after getting this to work.
> But the complex case does not work yet:
> $ nft add rule inet filter input meta secmark set tcp dport map @secmapping
> Error: Expression is not a map
> add rule inet filter input meta secmark set tcp dport map @secmapping
> ^^^^^^^^^^^
Might be a bug (misleading error message) in nft, I will push this fix:
diff --git a/src/evaluate.c b/src/evaluate.c
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2826,10 +2826,12 @@ static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt)
case EXPR_SYMBOL:
if (expr_evaluate(ctx, &map->mappings) < 0)
return -1;
- if (map->mappings->ops->type != EXPR_SET_REF ||
- !(map->mappings->set->flags & NFT_SET_OBJECT))
+ if (map->mappings->ops->type != EXPR_SET_REF)
return expr_error(ctx->msgs, map->mappings,
"Expression is not a map");
+ if (!(map->mappings->set->flags & NFT_SET_OBJECT))
+ return expr_error(ctx->msgs, map->mappings,
+ "Expression is not a map containing objects");
break;
default:
BUG("invalid mapping expression %s\n",
> table inet filter {
> map secmapping {
> type inet_service : secmark_tag
> elements = { ssh : "sshtag" }
> }
> }
I suspect map_block in parser_bison.y doesn't set NFT_SET_OBJECT on the
map, this evidently is a map :-)
