netfilter: nf_tables: add requirements for connsecmark support

Add ability to set the connection tracking secmark value. Add ability to set the meta secmark value. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Christian Göttsche <cgzones@googlemail.com> 2018-09-23 20:26:16 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-09-28 14:28:34 +0200
commit: b473a1f5ddee5f73392c387940f4fbcbabfc3431 (patch)
tree: cd4f915a41c064d35e5bf3065d2bbdc516e8adf9 /net/netfilter/nft_meta.c
parent: fb961945457f5177072c968aa38fee910ab893b9 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 91fd6e677ad7..6180626c3f80 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -284,6 +284,11 @@ static void nft_meta_set_eval(const struct nft_expr *expr,
 
 		skb->nf_trace = !!value8;
 		break;
+#ifdef CONFIG_NETWORK_SECMARK
+	case NFT_META_SECMARK:
+		skb->secmark = value;
+		break;
+#endif
 	default:
 		WARN_ON(1);
 	}
@@ -436,6 +441,9 @@ static int nft_meta_set_init(const struct nft_ctx *ctx,
 	switch (priv->key) {
 	case NFT_META_MARK:
 	case NFT_META_PRIORITY:
+#ifdef CONFIG_NETWORK_SECMARK
+	case NFT_META_SECMARK:
+#endif
 		len = sizeof(u32);
 		break;
 	case NFT_META_NFTRACE:
author	Christian Göttsche <cgzones@googlemail.com>	2018-09-23 20:26:16 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-09-28 14:28:34 +0200
commit	b473a1f5ddee5f73392c387940f4fbcbabfc3431 (patch)
tree	cd4f915a41c064d35e5bf3065d2bbdc516e8adf9 /net/netfilter/nft_meta.c
parent	fb961945457f5177072c968aa38fee910ab893b9 (diff)