On Tue, Oct 22, 2019 at 05:57:25PM +0200, Christian Göttsche wrote:
> Hi,
> I am trying to finally get secmark with nftables to work.
> The kernel[1][2] and libnftnl[3] parts are done.
> For the nft front-end I think some things need a further change than
> already introduced[4].
>
> 1.
> I found no way to store the secmark label into the connection tracking
> state and thereby set the label on established,related packets.
> Using a patch[5] it works with the following syntax:
> (Note: The patch will currently probably not apply to current master,
> due to [6])
>
> [... define secmarks and port maps ...]
> chain input {
> type filter hook input priority 0;
> ct state new meta secmark set tcp dport map @secmapping_in
> ct state new ip protocol icmp meta secmark set "icmp_server"
> ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server"
> ct state new ct secmark_raw set meta secmark_raw
> ct state established,related meta secmark_raw set ct secmark_raw
So your concern is the need for this extra secmark_raw, correct?
This is what your patch [6] does, right? If you don't mind to rebase
it I can have a look if I can propose you something else than this new
keyword.
> }
> chain output {
> type filter hook output priority 0;
> ct state new meta secmark set tcp dport map @secmapping_out
> ct state new ip protocol icmp meta secmark set "icmp_client"
> ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_client"
> ct state new ct secmark_raw set meta secmark_raw
> ct state established,related meta secmark_raw set ct secmark_raw
> }
>
> 2.
> The rules in 1. are not idempotent. The output of 'nft list ruleset' is:
>
> chain input {
> type filter hook input priority filter; policy accept;
> ct state new secmark name tcp dport map @secmapping_in
> ct state new ip protocol icmp secmark name "icmp_server"
> ct state new ip6 nexthdr ipv6-icmp secmark name "icmp_server"
> ct state new ct secmark set secmark
> ct state established,related secmark set ct secmark
This is the listing after you add ruleset in 1., correct?
> }
> chain output {
> type filter hook output priority filter; policy accept;
> ct state new secmark name tcp dport map @secmapping_out
> ct state new ip protocol icmp secmark name "icmp_client"
> ct state new ip6 nexthdr ipv6-icmp secmark name "icmp_client"
> ct state new ct secmark set secmark
> ct state established,related secmark set ct secmark
> }
>
> What are the code locations to fix?
>
> 3.
> The patch also adds the ability to reset secmarks.
> Is there a way to query the kernel about the actual secid (to verify
> the reset works)?
What do you mean by "reset secmarks", example please.
> 4.
> Maybe I can contribute a howto for wiki.nftables.org. What is the
> preferred format?
That would be great indeed.
Sorry for the many questions!
[...]
> [1] https://github.com/torvalds/linux/commit/fb961945457f5177072c968aa38fee910ab893b9
> [2] https://github.com/torvalds/linux/commit/b473a1f5ddee5f73392c387940f4fbcbabfc3431
> [3] https://git.netfilter.org/libnftnl/commit/?id=aaf20ad0dc22d2ebcad1b2c43288e984f0efe2c3
> [4] https://git.netfilter.org/nftables/commit/?id=3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea
> [5] https://salsa.debian.org/cgzones-guest/pkg-nftables/blob/master/debian/patches/0004-secmark-add-missing-pieces.patch
> [6] https://git.netfilter.org/nftables/commit/?id=998142c71d095d79488495ea545a704213fa0ba0
