Secmark
Jump to navigation
Jump to search
secmark objects add netfilter SECMARK labels to a ruleset, for use with SELinux or other Linux Security Modules. At least Linux kernel 4.20 and nftables 0.9.3 are required for secmark object support.
Using secmark in rules
The following ruleset defines an sshtag secmark object and uses it to set SECMARK on packets to port tcp/22 (ssh):
table inet secmark_rule_demo {
secmark sshtag { "system_u:object_r:ssh_server_packet_t:s0" }
chain IN {
type filter hook input priority filter;
tcp dport 22 meta secmark set "sshtag"
}
}Using secmark in maps
You can also use secmark in maps:
table inet secmark_map_demo {
secmark sshtag { "system_u:object_r:ssh_server_packet_t:s0" }
map secmapping {
type inet_service : secmark
elements = {
22 : "sshtag",
}
}
chain IN {
type filter hook input priority filter;
meta secmark set tcp dport map @secmapping
}
}See Also
- secmark.nft example distributed with nftables source