Re: SECMARK support

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Thu, 20 Sep 2018 12:00:34 +0200

I am trying to get a connsecmark equivalent working.

How can I implement the secmark pushing from the ct state to the package?


kernel patch:

---
 net/netfilter/nft_ct.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 1435ffc5..78831416 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -296,6 +296,14 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
                }
                break;
 #endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+       case NFT_CT_SECMARK:
+               if (ct->secmark != value) {
+                       ct->secmark = value;
+                       nf_conntrack_event_cache(IPCT_SECMARK, ct);
+               }
+               break;
+#endif
 #ifdef CONFIG_NF_CONNTRACK_LABELS
        case NFT_CT_LABELS:
                nf_connlabels_replace(ct,
@@ -562,6 +570,13 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
                        return -EINVAL;
                len = sizeof(u32);
                break;
+#endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+       case NFT_CT_SECMARK:
+               if (tb[NFTA_CT_DIRECTION])
+                       return -EINVAL;
+               len = sizeof(u32);
+               break;
 #endif
        default:
                return -EOPNOTSUPP;
-- 
2.19.0

nftables patch:

---
 src/ct.c           | 2 ++
 src/meta.c         | 2 ++
 src/parser_bison.y | 1 +
 3 files changed, 5 insertions(+)

diff --git a/src/ct.c b/src/ct.c
index 1d50382..e62c255 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -291,6 +291,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
                                              BYTEORDER_HOST_ENDIAN, 16),
        [NFT_CT_EVENTMASK]      = CT_TEMPLATE("event", &ct_event_type,
                                              BYTEORDER_HOST_ENDIAN, 32),
+       [NFT_CT_SECMARK]        = CT_TEMPLATE("secmark", &integer_type,
+                                             BYTEORDER_HOST_ENDIAN, 32),
 };

 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/meta.c b/src/meta.c
index 19066a1..76be247 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -444,6 +444,8 @@ const struct meta_template meta_templates[] = {
                                                BYTEORDER_BIG_ENDIAN),
/* avoid conversion; doesn't have endianess */
        [NFT_META_SECPATH]      = META_TEMPLATE("secpath", &boolean_type,
                                                BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+       [NFT_META_SECMARK]      = META_TEMPLATE("secmark", &integer_type,
+                                               32, BYTEORDER_HOST_ENDIAN),
 };

 static bool meta_key_is_qualified(enum nft_meta_keys key)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a42bc05..dc6f3f4 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3766,6 +3766,7 @@ ct_key                    :       L3PROTOCOL
 { $$ = NFT_CT_L3PROTOCOL; }
                        |       PROTO_DST       { $$ = NFT_CT_PROTO_DST; }
                        |       LABEL           { $$ = NFT_CT_LABELS; }
                        |       EVENT           { $$ = NFT_CT_EVENTMASK; }
+                       |       SECMARK         { $$ = NFT_CT_SECMARK; }
                        |       ct_key_dir_optional
                        ;

-- 
2.19.0

$ nft add rule inet filter input ct secmark set meta secmark

works, but

$ nft add rule inet filter output meta secmark set ct secmark
Error: datatype mismatch: expected string, expression has type integer
add rule inet filter output meta secmark set ct secmark
                            ~~~~~~~~~~~~~~~~~^^^^^^^^^^

not.






