path: root/src/statement.c
diff options
authorChristian Göttsche <>2018-10-15 14:18:36 +0200
committerPablo Neira Ayuso <>2018-10-15 14:31:18 +0200
commit3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea (patch)
tree20595642927c6c8b0ca0a684b1a350bbefd124f2 /src/statement.c
parent27d8946db90b79762a36e66647bb8d8fc4c17ce9 (diff)
src: add support for setting secmark
Add support for new nft object secmark holding security context strings. The following should demonstrate its usage (based on SELinux context): # define a tag containing a context string nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\" nft list secmarks # set the secmark nft add rule inet filter input tcp dport 22 meta secmark set sshtag # map usage nft add map inet filter secmapping { type inet_service : secmark \; } nft add element inet filter secmapping { 22 : sshtag } nft list maps nft list map inet filter secmapping nft add rule inet filter input meta secmark set tcp dport map @secmapping [ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ] Signed-off-by: Christian Göttsche <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'src/statement.c')
1 files changed, 1 insertions, 0 deletions
diff --git a/src/statement.c b/src/statement.c
index a02ebc84..909f04ca 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -204,6 +204,7 @@ static const char *objref_type[NFT_OBJECT_MAX + 1] = {
[NFT_OBJECT_CT_HELPER] = "ct helper",
[NFT_OBJECT_LIMIT] = "limit",
[NFT_OBJECT_CT_TIMEOUT] = "ct timeout",
+ [NFT_OBJECT_SECMARK] = "secmark",
const char *objref_type_name(uint32_t type)