Aargh, some code in the nft_meta.c was missing.
Now it works, I'll test further and append the patches with the next
round of the secmark ones.
for reference: https://github.com/cgzones/secmark/tree/master/connsecmark
Adding a new keyword "secmark_raw" seems to do the trick a bit.
But somewhere it is still unsupported:
$ nft --debug=netlink add rule inet filter output meta secmark_raw set
ct secmark_raw
inet filter output
[ ct load secmark => reg 1 ]
[ meta set secmark with reg 1 ]
Error: Could not
I am trying to get a connsecmark equivalent working.
How can I implement the secmark pushing from the ct state to the package?
kernel patch:
---
net/netfilter/nft_ct.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index
net filter secmapping
nft add rule inet filter input meta secmark set tcp dport map @secmapping
Based on v0.9.0
Signed-off-by: Christian Göttsche
---
include/linux/netfilter/nf_tables.h | 18 -
include/rule.h | 9 +++
src/evaluate.c | 5 ++
The new object will hold security context strings.
Note:
nftnl_obj_secmark_json_parse is not yet implemented;
I'd like to get some help how to implement json string parsing as it is not
implemented in ct_helper or ct_timeout.
Based on v1.1.1
Signed-off-by: Christian Göttsche
---
include
I think it was a bug of mine, sorted it out:
https://github.com/cgzones/secmark/commit/83a1f56a3283214b678655ad6f3b5605c6b48df3
Now I'll focus on connsecmark and testing :-)
elements = { ssh : "sshtag" }
}
}
Any ideas?
Best regards
Christian Göttsche
, 80 :
"system_u:object_r:httpd_server_packet_t:s0" }
^^
Any advice? Is this syntax however sane?
Best regards
Christian Göttsche
p.s.:
kernel patch (against 4.18):
https://github.com/cgzones/secmark/bl
> Simplest version is to merge your patch into nft_meta.c, in the
> "set" part, and make the init() function translate it to the 32bit
> immedidate, this would pretty much look like your patch.
Doesn't this conflict with the fact that e.g. reloading the SELinux
policy invalidates the string <->
regards,
Christian Göttsche
[1] https://zasdfgbnm.github.io/2017/09/07/Extending-nftables
[2] https://github.com/cgzones/secmark
Hi,
I am a SELinux user and like to see SECMARK support in nftables, to be
able to confine network operations [1][2].
Is there currently some effort in adding support for this?
Best regards,
Christian Göttsche
[1] https://paulmoore.livejournal.com/4281.html
[2] https://selinuxproject.org
11 matches
Mail list logo