git.ipfire.org Git - thirdparty/nftables.git/commit

author	Christian Göttsche <cgzones@googlemail.com>
	Mon, 15 Oct 2018 12:18:36 +0000 (14:18 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 15 Oct 2018 12:31:18 +0000 (14:31 +0200)
commit	3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea
tree	20595642927c6c8b0ca0a684b1a350bbefd124f2	tree
parent	27d8946db90b79762a36e66647bb8d8fc4c17ce9	commit \| diff

src: add support for setting secmark

Add support for new nft object secmark holding security context strings.

The following should demonstrate its usage (based on SELinux context):

    # define a tag containing a context string
    nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
    nft list secmarks

    # set the secmark
    nft add rule inet filter input tcp dport 22 meta secmark set sshtag

    # map usage
    nft add map inet filter secmapping { type inet_service : secmark \; }
    nft add element inet filter secmapping { 22 : sshtag }
    nft list maps
    nft list map inet filter secmapping
    nft add rule inet filter input meta secmark set tcp dport map @secmapping

[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/linux/netfilter/nf_tables.h		diff \| blob \| blame \| history
include/rule.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/json.c		diff \| blob \| blame \| history
src/netlink.c		diff \| blob \| blame \| history
src/parser_bison.y		diff \| blob \| blame \| history
src/parser_json.c		diff \| blob \| blame \| history
src/rule.c		diff \| blob \| blame \| history
src/scanner.l		diff \| blob \| blame \| history
src/statement.c		diff \| blob \| blame \| history