nftables: secmark support

["Christian Göttsche" <cgzones@googlemail.com>]

Hi,
I am trying to finally get secmark with nftables to work.
The kernel[1][2] and libnftnl[3] parts are done.
For the nft front-end I think some things need a further change than
already introduced[4].

1.
I found no way to store the secmark label into the connection tracking
state and thereby set the label on established,related packets.
Using a patch[5] it works with the following syntax:
(Note: The patch will currently probably not apply to current master,
due to [6])

    [... define secmarks and port maps ...]
    chain input {
        type filter hook input priority 0;
        ct state new meta secmark set tcp dport map @secmapping_in
        ct state new ip protocol icmp meta secmark set "icmp_server"
        ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server"
        ct state new ct secmark_raw set meta secmark_raw
        ct state established,related meta secmark_raw set ct secmark_raw
    }
    chain output {
        type filter hook output priority 0;
        ct state new meta secmark set tcp dport map @secmapping_out
        ct state new ip protocol icmp meta secmark set "icmp_client"
        ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_client"
        ct state new ct secmark_raw set meta secmark_raw
        ct state established,related meta secmark_raw set ct secmark_raw
    }

2.
The rules in 1. are not idempotent. The output of 'nft list ruleset' is:

    chain input {
        type filter hook input priority filter; policy accept;
        ct state new secmark name tcp dport map @secmapping_in
        ct state new ip protocol icmp secmark name "icmp_server"
        ct state new ip6 nexthdr ipv6-icmp secmark name "icmp_server"
        ct state new ct secmark set secmark
        ct state established,related secmark set ct secmark
    }
    chain output {
        type filter hook output priority filter; policy accept;
        ct state new secmark name tcp dport map @secmapping_out
        ct state new ip protocol icmp secmark name "icmp_client"
        ct state new ip6 nexthdr ipv6-icmp secmark name "icmp_client"
        ct state new ct secmark set secmark
        ct state established,related secmark set ct secmark
    }

What are the code locations to fix?

3.
The patch also adds the ability to reset secmarks.
Is there a way to query the kernel about the actual secid (to verify
the reset works)?

4.
Maybe I can contribute a howto for wiki.nftables.org. What is the
preferred format?

Best regards,
     Christian Göttsche


[1] https://github.com/torvalds/linux/commit/fb961945457f5177072c968aa38fee910ab893b9
[2] https://github.com/torvalds/linux/commit/b473a1f5ddee5f73392c387940f4fbcbabfc3431
[3] https://git.netfilter.org/libnftnl/commit/?id=aaf20ad0dc22d2ebcad1b2c43288e984f0efe2c3
[4] https://git.netfilter.org/nftables/commit/?id=3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea
[5] https://salsa.debian.org/cgzones-guest/pkg-nftables/blob/master/debian/patches/0004-secmark-add-missing-pieces.patch
[6] https://git.netfilter.org/nftables/commit/?id=998142c71d095d79488495ea545a704213fa0ba0