[nftables PATCH] files: improve secmark.nft example

[nftables PATCH] files: improve secmark.nft example

[Dominick Grift]

use proper priorities to ensure that ct works properly

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 files/examples/secmark.nft | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/files/examples/secmark.nft b/files/examples/secmark.nft
index 16f9a368..c923cebb 100755
--- a/files/examples/secmark.nft
+++ b/files/examples/secmark.nft
@@ -10,7 +10,7 @@
 
 flush ruleset
 
-table inet filter {
+table inet x {
 	secmark ssh_server {
 		"system_u:object_r:ssh_server_packet_t:s0"
 	}
@@ -57,8 +57,8 @@ table inet filter {
 		elements = { 22 : "ssh_client", 53 : "dns_client", 80 : "http_client", 123 : "ntp_client", 443 : "http_client", 9418 : "git_client" }
 	}
 
-	chain input {
-		type filter hook input priority 0;
+	chain y {
+		type filter hook input priority -225;
 
 		# label new incoming packets and add to connection
 		ct state new meta secmark set tcp dport map @secmapping_in
@@ -71,8 +71,8 @@ table inet filter {
 		ct state established,related meta secmark set ct secmark
 	}
 
-	chain output {
-		type filter hook output priority 0;
+	chain z {
+		type filter hook output priority 225;
 
 		# label new outgoing packets and add to connection
 		ct state new meta secmark set tcp dport map @secmapping_out
-- 
2.31.1

Re: [nftables PATCH] files: improve secmark.nft example

[Pablo Neira Ayuso]

On Mon, May 24, 2021 at 11:47:51AM +0200, Dominick Grift wrote:
> use proper priorities to ensure that ct works properly

Applied, thanks.