> > 1) I would replace secmark_raw by secmark instead. I think we should
> > hide this assymmetry to the user. I would suggest you also extend
> > the evaluation phase, ie. expr_evaluate_meta() and expr_evaluate_ct()
> > to bail out in case the user tries to match on the raw packet / ct
> > secmark ID. IIRC, the only usecase for this raw ID is to save and
> > to restore the secmark from/to the packet to/from the conntrack
> > object.
> >
> > And a few minor issues:
> >
> > 2) Please remove meta_key_unqualified chunk.
> >
> > meta_key_unqualified SET stmt_expr
>
> I mean, this update (moving the location of this rule) is not
> necessary, right? Thanks.
Without these, I am stuck with
$ ./src/nft -c -f files/examples/secmark.nft
files/examples/secmark.nft:64:49-58: Error: Counter expression must be constant
ct state established,related meta secmark set ct secmark
^^^^^^^^^^
using https://salsa.debian.org/cgzones-guest/nftables/compare/master...secmark_v2
