From f92636da30ec96f45a2eeaac025714de968b586a Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Mon, 24 May 2021 11:47:51 +0200
Subject: files: improve secmark.nft example

use proper priorities to ensure that ct works properly

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 files/examples/secmark.nft | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'files')

diff --git a/files/examples/secmark.nft b/files/examples/secmark.nft
index 16f9a368..c923cebb 100755
--- a/files/examples/secmark.nft
+++ b/files/examples/secmark.nft
@@ -10,7 +10,7 @@
 
 flush ruleset
 
-table inet filter {
+table inet x {
 	secmark ssh_server {
 		"system_u:object_r:ssh_server_packet_t:s0"
 	}
@@ -57,8 +57,8 @@ table inet filter {
 		elements = { 22 : "ssh_client", 53 : "dns_client", 80 : "http_client", 123 : "ntp_client", 443 : "http_client", 9418 : "git_client" }
 	}
 
-	chain input {
-		type filter hook input priority 0;
+	chain y {
+		type filter hook input priority -225;
 
 		# label new incoming packets and add to connection
 		ct state new meta secmark set tcp dport map @secmapping_in
@@ -71,8 +71,8 @@ table inet filter {
 		ct state established,related meta secmark set ct secmark
 	}
 
-	chain output {
-		type filter hook output priority 0;
+	chain z {
+		type filter hook output priority 225;
 
 		# label new outgoing packets and add to connection
 		ct state new meta secmark set tcp dport map @secmapping_out
-- 
cgit v1.2.3