Optionally generate Netfilter NFT tables. Sample output:
```#!/usr/sbin/nft -f
flush ruleset
table inet security {
secmark default_input_packet {
"system_u:object_r:server_packet_t:s0"
}
secmark default_output_packet {
"system_u:object_r:client_packet_t:s0"
}
secmark afs_bos_input {
"system_u:object_r:afs_bos_server_packet_t:s0"
}
secmark afs_bos_output {
"system_u:object_r:afs_bos_client_packet_t:s0"
}
...
chain INPUT {
type filter hook input priority 0; policy accept;
ct state new meta secmark set "default_input_packet"
ct state new udp dport 7007 meta secmark set "afs_bos_input"
...
ct state new ct secmark set meta secmark
ct state established,related meta secmark set ct secmark
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
ct state new meta secmark set "default_output_packet"
ct state new udp dport 7007 meta secmark set "afs_bos_output"
...
ct state new ct secmark set meta secmark
ct state established,related meta secmark set ct secmark
}
}
```
The labels are applied to TCP and/or UDP as needed. MCS and MLS are
not really handled.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
