From 2250296370752e516dc367f1239753b15efbea94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Sat, 23 Nov 2019 17:22:39 +0100 Subject: src: add ability to set/get secmarks to/from connection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Labeling established and related packets requires the secmark to be stored in the connection. Add the ability to store and retrieve secmarks like: ... chain input { ... # label new incoming packets ct state new meta secmark set tcp dport map @secmapping_in # add label to connection ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark ... } ... chain output { ... # label new outgoing packets ct state new meta secmark set tcp dport map @secmapping_out # add label to connection ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark ... } ... This patch also disallow constant value on the right hand side. # nft add rule x y meta secmark 12 Error: Cannot be used with right hand side constant value add rule x y meta secmark 12 ~~~~~~~~~~~~ ^^ # nft add rule x y ct secmark 12 Error: Cannot be used with right hand side constant value add rule x y ct secmark 12 ~~~~~~~~~~ ^^ # nft add rule x y ct secmark set 12 Error: ct secmark must not be set to constant value add rule x y ct secmark set 12 ^^^^^^^^^^^^^^^^^ This patch improves 3bc84e5c1fdd ("src: add support for setting secmark"). Signed-off-by: Christian Göttsche Signed-off-by: Pablo Neira Ayuso --- src/meta.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/meta.c') diff --git a/src/meta.c b/src/meta.c index 69a897a9..796d8e94 100644 --- a/src/meta.c +++ b/src/meta.c @@ -698,6 +698,8 @@ const struct meta_template meta_templates[] = { [NFT_META_TIME_HOUR] = META_TEMPLATE("hour", &hour_type, 4 * BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), + [NFT_META_SECMARK] = META_TEMPLATE("secmark", &integer_type, + 32, BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_unqualified(enum nft_meta_keys key) -- cgit v1.2.3