On Thu, Sep 20, 2018 at 09:43:22AM +0200, Christian Göttsche wrote:
> Add support for new nft object secmark holding security context strings.
>
> The following should demonstrate its usage (based on SELinux context):
>
> # define a tag containing a context string
> nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
> nft list secmarks
>
> # set the secmark
> nft add rule inet filter input tcp dport 22 meta secmark set sshtag
>
> # map usage
> nft add map inet filter secmapping { type inet_service : secmark \; }
> nft add element inet filter secmapping { 22 : sshtag }
> nft list maps
> nft list map inet filter secmapping
> nft add rule inet filter input meta secmark set tcp dport map @secmapping
>
> Based on v0.9.0
I made the rebase myself and pushed it out.
I'd appreciate if you can review what we have in nft.git and test it.
Thanks.
