Re: [PATCH] nftables: add support for setting secmark

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 20, 2018 at 09:43:22AM +0200, Christian Göttsche wrote:
> Add support for new nft object secmark holding security context strings.
> 
> The following should demonstrate its usage (based on SELinux context):
> 
>     # define a tag containing a context string
>     nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
>     nft list secmarks
> 
>     # set the secmark
>     nft add rule inet filter input tcp dport 22 meta secmark set sshtag
> 
>     # map usage
>     nft add map inet filter secmapping { type inet_service : secmark \; }
>     nft add element inet filter secmapping { 22 : sshtag }
>     nft list maps
>     nft list map inet filter secmapping
>     nft add rule inet filter input meta secmark set tcp dport map @secmapping
> 
> Based on v0.9.0

I made the rebase myself and pushed it out.

I'd appreciate if you can review what we have in nft.git and test it.

Thanks.



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux