Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > I am trying to get a connsecmark equivalent working. > > How can I implement the secmark pushing from the ct state to the package? Good question. Should we even allow setting it from register context or should we enforce strict ct->secmark = skb->secmark? > $ nft add rule inet filter input ct secmark set meta secmark > works, but > $ nft add rule inet filter output meta secmark set ct secmark > Error: datatype mismatch: expected string, expression has type integer > add rule inet filter output meta secmark set ct secmark > ~~~~~~~~~~~~~~~~~^^^^^^^^^^ Hmm. meta secmark set expects a object-name, right? I think this will have to be fixed up during evaluation phase so that "meta secmark set" creates a plain "meta set expression" and not the objref, which won't be of any use in this case.
