On Wed, Nov 20, 2019 at 06:43:55PM +0100, Christian Göttsche wrote:
> Labeling established and related packets requires the secmark to be stored in the connection.
> Add the ability to store and retrieve secmarks like:
>
> ...
> chain input {
> ...
>
> # label new incoming packets
> ct state new meta secmark set tcp dport map @secmapping_in
>
> # add label to connection
> ct state new ct secmark set meta secmark
>
> # set label for est/rel packets from connection
> ct state established,related meta secmark set ct secmark
>
> ...
> }
> ...
> chain output {
> ...
>
> # label new outgoing packets
> ct state new meta secmark set tcp dport map @secmapping_out
>
> # add label to connection
> ct state new ct secmark set meta secmark
>
> # set label for est/rel packets from connection
> ct state established,related meta secmark set ct secmark
>
> ...
> }
> ...
I have applied this with minor changes on the evaluation side. Just
follow up with another patch in case you find any issue.
Thanks.
