Re: nftables: secmark support

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Tue, Nov 19, 2019 at 08:02:10PM +0100, Christian Göttsche wrote:
> > > 1) I would replace secmark_raw by secmark instead. I think we should
> > >    hide this assymmetry to the user. I would suggest you also extend
> > >    the evaluation phase, ie. expr_evaluate_meta() and expr_evaluate_ct()
> > >    to bail out in case the user tries to match on the raw packet / ct
> > >    secmark ID. IIRC, the only usecase for this raw ID is to save and
> > >    to restore the secmark from/to the packet to/from the conntrack
> > >    object.
> > >
> > > And a few minor issues:
> > >
> > > 2) Please remove meta_key_unqualified chunk.
> > >
> > >         meta_key_unqualified    SET stmt_expr
> >
> > I mean, this update (moving the location of this rule) is not
> > necessary, right? Thanks.
>
> Without these, I am stuck with
>
> $ ./src/nft -c -f files/examples/secmark.nft
> files/examples/secmark.nft:64:49-58: Error: Counter expression must be constant
>                 ct state established,related meta secmark set ct secmark
>                                                               ^^^^^^^^^^

meta_stmt               :       META    meta_key        SET stmt_expr
                        {
                                switch ($2) {
                                case NFT_META_SECMARK:
                                        $$ = objref_stmt_alloc(&@$);
                                        $$->objref.type = NFT_OBJECT_SECMARK;
                                        $$->objref.expr = $4;

Check for what type of expression you have on $4 from the parser code.
If this is EXPR_META or EXPR_CT, then this is restoring a value. If
that is the case, then you have to use meta_stmt_alloc(), not
objref_stmt_alloc(), since this is not a reference to object.