diff options
author | Dominick Grift <dominick.grift@defensec.nl> | 2021-05-24 11:47:51 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-05-24 16:32:50 +0200 |
commit | f92636da30ec96f45a2eeaac025714de968b586a (patch) | |
tree | 3137f8454101948e206c72bb02d79e8b00620fc0 | |
parent | 113ed02e1e69b53e145f92db1c8a0a5bf1e742f4 (diff) |
files: improve secmark.nft example
use proper priorities to ensure that ct works properly
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rwxr-xr-x | files/examples/secmark.nft | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/files/examples/secmark.nft b/files/examples/secmark.nft index 16f9a368..c923cebb 100755 --- a/files/examples/secmark.nft +++ b/files/examples/secmark.nft @@ -10,7 +10,7 @@ flush ruleset -table inet filter { +table inet x { secmark ssh_server { "system_u:object_r:ssh_server_packet_t:s0" } @@ -57,8 +57,8 @@ table inet filter { elements = { 22 : "ssh_client", 53 : "dns_client", 80 : "http_client", 123 : "ntp_client", 443 : "http_client", 9418 : "git_client" } } - chain input { - type filter hook input priority 0; + chain y { + type filter hook input priority -225; # label new incoming packets and add to connection ct state new meta secmark set tcp dport map @secmapping_in @@ -71,8 +71,8 @@ table inet filter { ct state established,related meta secmark set ct secmark } - chain output { - type filter hook output priority 0; + chain z { + type filter hook output priority 225; # label new outgoing packets and add to connection ct state new meta secmark set tcp dport map @secmapping_out |