Many thanks, now I think I understand the desired behavior with the
helper objects.
Now the following works:
$ nft add secmark inet filter sshtag
\"system_u:object_r:ssh_server_packet_t:s0\"
$ nft add rule inet filter input tcp dport 22 meta secmark set sshtag
$ nft add map inet filter secmapping { type inet_service : secmark_tag \; }
$ nft add element inet filter secmapping { 22 : sshtag }
$ nft list ruleset
table inet filter {
secmark sshtag {
system_u:object_r:ssh_server_packet_t:s0
}
map secmapping {
type inet_service : secmark_tag
elements = { ssh : "sshtag" }
}
chain input {
type filter hook input priority 0; policy accept;
tcp dport ssh secmark name "sshtag"
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
But the complex case does not work yet:
$ nft add rule inet filter input meta secmark set tcp dport map @secmapping
Error: Expression is not a map
add rule inet filter input meta secmark set tcp dport map @secmapping
^^^^^^^^^^^
even though it is a map:
$ nft list map inet filter secmapping
table inet filter {
map secmapping {
type inet_service : secmark_tag
elements = { ssh : "sshtag" }
}
}
Any ideas?
Best regards
Christian Göttsche
