http://wiki.nftables.org/wiki-nftables/index.php?action=history&feed=atom&title=SecmarkSecmark - Revision history2026-04-11T09:11:21ZRevision history for this page on the wikiMediaWiki 1.43.6http://wiki.nftables.org/wiki-nftables/index.php?title=Secmark&diff=873&oldid=prevFmyhr: Initial page, using examples from nftables 0.9.1 release notes.2021-04-09T15:04:19Z<p>Initial page, using examples from nftables 0.9.1 release notes.</p>
<p><b>New page</b></p><div>''secmark'' objects add netfilter [https://selinuxproject.org/page/NB_Networking#SECMARK SECMARK] labels to a ruleset, for use with [https://github.com/SELinuxProject SELinux] or other [https://en.wikipedia.org/wiki/Linux_Security_Modules Linux Security Modules]. At least [https://kernelnewbies.org/Linux_4.20 Linux kernel 4.20] and [https://marc.info/?l=netfilter&m=157532146917292&w=2 nftables 0.9.3] are required for ''secmark'' object support.<br />
<br />
= Using ''secmark'' in rules =<br />
<br />
The following ruleset defines an ''sshtag'' ''secmark'' object and uses it to set SECMARK on packets to port tcp/22 (ssh):<br />
<br />
<source><br />
table inet secmark_rule_demo {<br />
<br />
secmark sshtag { "system_u:object_r:ssh_server_packet_t:s0" }<br />
<br />
chain IN {<br />
type filter hook input priority filter;<br />
<br />
tcp dport 22 meta secmark set "sshtag"<br />
}<br />
}<br />
</source><br />
<br />
= Using ''secmark'' in maps =<br />
<br />
You can also use ''secmark'' in maps:<br />
<br />
<source><br />
table inet secmark_map_demo {<br />
<br />
secmark sshtag { "system_u:object_r:ssh_server_packet_t:s0" }<br />
<br />
map secmapping {<br />
type inet_service : secmark<br />
elements = {<br />
22 : "sshtag",<br />
}<br />
}<br />
<br />
chain IN {<br />
type filter hook input priority filter;<br />
<br />
meta secmark set tcp dport map @secmapping<br />
}<br />
}<br />
</source><br />
<br />
= See Also =<br />
* [http://git.netfilter.org/nftables/tree/files/examples/secmark.nft secmark.nft] example distributed with nftables source</div>Fmyhr