Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote:
> Adding a new keyword "secmark_raw" seems to do the trick a bit.
> But somewhere it is still unsupported:
>
> $ nft --debug=netlink add rule inet filter output meta secmark_raw set
> ct secmark_raw
> inet filter output
> [ ct load secmark => reg 1 ]
> [ meta set secmark with reg 1 ]
Yes, this looks good.
I think you can reuse
meta secmark set ct secmark
but it will require fixup during postprocessing stage.
During that phase statement will have access to the argument
expression and could do a rewrite of the expressions involved.
> +#ifdef CONFIG_NF_CONNTRACK_SECMARK
> + case NFT_CT_SECMARK:
> + if (ct->secmark != value) {
> + ct->secmark = value;
> + nf_conntrack_event_cache(IPCT_SECMARK, ct);
> + }
> + break;
> +#endif
> #ifdef CONFIG_NF_CONNTRACK_LABELS
> case NFT_CT_LABELS:
> nf_connlabels_replace(ct,
> @@ -562,6 +570,13 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
> return -EINVAL;
> len = sizeof(u32);
> break;
> +#endif
> +#ifdef CONFIG_NF_CONNTRACK_SECMARK
> + case NFT_CT_SECMARK:
> + if (tb[NFTA_CT_DIRECTION])
> + return -EINVAL;
> + len = sizeof(u32);
> + break;
Looks good to me.
