Hi,
I am trying to finally get secmark with nftables to work.
The kernel[1][2] and libnftnl[3] parts are done.
For the nft front-end I think some things need a further change than
already introduced[4].
1.
I found no way to store the secmark label into the connection tracking
state and thereby set the label on established,related packets.
Using a patch[5] it works with the following syntax:
(Note: The patch will currently probably not apply to current master,
due to [6])
[... define secmarks and port maps ...]
chain input {
type filter hook input priority 0;
ct state new meta secmark set tcp dport map @secmapping_in
ct state new ip protocol icmp meta secmark set "icmp_server"
ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server"
ct state new ct secmark_raw set meta secmark_raw
ct state established,related meta secmark_raw set ct secmark_raw
}
chain output {
type filter hook output priority 0;
ct state new meta secmark set tcp dport map @secmapping_out
ct state new ip protocol icmp meta secmark set "icmp_client"
ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_client"
ct state new ct secmark_raw set meta secmark_raw
ct state established,related meta secmark_raw set ct secmark_raw
}
2.
The rules in 1. are not idempotent. The output of 'nft list ruleset' is:
chain input {
type filter hook input priority filter; policy accept;
ct state new secmark name tcp dport map @secmapping_in
ct state new ip protocol icmp secmark name "icmp_server"
ct state new ip6 nexthdr ipv6-icmp secmark name "icmp_server"
ct state new ct secmark set secmark
ct state established,related secmark set ct secmark
}
chain output {
type filter hook output priority filter; policy accept;
ct state new secmark name tcp dport map @secmapping_out
ct state new ip protocol icmp secmark name "icmp_client"
ct state new ip6 nexthdr ipv6-icmp secmark name "icmp_client"
ct state new ct secmark set secmark
ct state established,related secmark set ct secmark
}
What are the code locations to fix?
3.
The patch also adds the ability to reset secmarks.
Is there a way to query the kernel about the actual secid (to verify
the reset works)?
4.
Maybe I can contribute a howto for wiki.nftables.org. What is the
preferred format?
Best regards,
Christian Göttsche
[1] https://github.com/torvalds/linux/commit/fb961945457f5177072c968aa38fee910ab893b9
[2] https://github.com/torvalds/linux/commit/b473a1f5ddee5f73392c387940f4fbcbabfc3431
[3] https://git.netfilter.org/libnftnl/commit/?id=aaf20ad0dc22d2ebcad1b2c43288e984f0efe2c3
[4] https://git.netfilter.org/nftables/commit/?id=3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea
[5] https://salsa.debian.org/cgzones-guest/pkg-nftables/blob/master/debian/patches/0004-secmark-add-missing-pieces.patch
[6] https://git.netfilter.org/nftables/commit/?id=998142c71d095d79488495ea545a704213fa0ba0
