search for: secctx

....10.1 in /etc/shorewall/rules, and: oadmodule nf_conntrack_tftp in /etc/shorewall/modules. The module is loaded and I do see some entries come and go, e.g.: udp 17 10 src=4.28.99.164 dst=10.10.10.1 sport=2071 dport=69 [UNREPLIED] src=10.10.10.1 dst=4.28.99.164 sport=69 dport=2071 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=2 But it appears that the replies from the client are still being blocked, e.g.: Oct 16 10:17:34 inferno kernel: [1841301.871809] Shorewall:dmz2loc:REJECT:IN=em2 OUT=em1 MAC=00:b0:d0:df:e3:1e:00:22:19:1d:0c:a4:08:00 SRC=4.28.99.164 DST=10.10.10.1 LEN=32 TOS...

...ty filter; flow add @bar counter } } You can list the counters via `conntrack -L': tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport=5201 packets=9 bytes=608 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 packets=8 bytes=428 [OFFLOAD] mark=0 secctx=null use=2 tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47280 dport=5201 packets=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280 packets=967505 bytes=50310268 [OFFLOAD] mark=0 secctx=null use=2 The [OFFLOAD] status bit specifies that this flow is exercising the f...

https://bugzilla.netfilter.org/show_bug.cgi?id=1749 Bug ID: 1749 Summary: netfilter/nftables secmark support limited to 255 bytes Product: netfilter/iptables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: unknown