src: add support for setting secmark

Add support for new nft object secmark holding security context strings.

The following should demonstrate its usage (based on SELinux context):

    # define a tag containing a context string
    nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
    nft list secmarks

    # set the secmark
    nft add rule inet filter input tcp dport 22 meta secmark set sshtag

    # map usage
    nft add map inet filter secmapping { type inet_service : secmark \; }
    nft add element inet filter secmapping { 22 : sshtag }
    nft list maps
    nft list map inet filter secmapping
    nft add rule inet filter input meta secmark set tcp dport map @secmapping

[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 10 insertions, 0 deletions

diff --git a/src/json.c b/src/json.c
index 1ab2d431..1cde2706 100644
--- a/src/json.c
+++ b/src/json.c
@@ -294,6 +294,12 @@ static json_t *obj_print_json(struct output_ctx *octx, const struct obj *obj)
 		json_object_update(root, tmp);
 		json_decref(tmp);
 		break;
+	case NFT_OBJECT_SECMARK:
+		tmp = json_pack("{s:s}",
+				"context", obj->secmark.ctx);
+		json_object_update(root, tmp);
+		json_decref(tmp);
+		break;
 	case NFT_OBJECT_CT_HELPER:
 		tmp = json_pack("{s:s, s:o, s:s}",
 				"type", obj->ct_helper.name, "protocol",
@@ -1706,6 +1712,10 @@ int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd)
 	case CMD_OBJ_LIMITS:
 		root = do_list_obj_json(ctx, cmd, NFT_OBJECT_LIMIT);
 		break;
+	case CMD_OBJ_SECMARK:
+	case CMD_OBJ_SECMARKS:
+		root = do_list_obj_json(ctx, cmd, NFT_OBJECT_SECMARK);
+		break;
 	case CMD_OBJ_FLOWTABLES:
 		root = do_list_flowtables_json(ctx, cmd);
 		break;