> -----Original Message----- > From: netfilter-devel-owner@xxxxxxxxxxxxxxx [mailto:netfilter-devel- > owner@xxxxxxxxxxxxxxx] On Behalf Of Harout Hedeshian > Sent: Monday, June 15, 2015 6:41 PM > To: netfilter-devel@xxxxxxxxxxxxxxx > Cc: Lorenzo Colitti; Harout Hedeshian > Subject: [PATCH nf-next] netfilter: xt_socket: add > XT_SOCKET_RESTORESKMARK flag > > xt_socket is useful for matching sockets with IP_TRANSPARENT and > taking some action on the matching packets. However, it lacks the > ability to match only a small subset of transparent sockets. > > Suppose there are 2 applications, each with its own set of transparent > sockets. The first application wants all matching packets dropped, > while the second application wants them forwarded somewhere else. > > Add the ability to retore the skb->mark from the sk_mark. The mark > is only restored if a matching socket is found and the transparent / > nowildcard conditions are satisfied. > > Now the 2 hypothetical applications can differentiate their sockets > based on a mark value set with SO_MARK. > > iptables -t mangle -I PREROUTING -m socket --transparent \ > --restore-skmark -j action > iptables -t mangle -I PREROUTING -m socket --transparent \ > --restore-skmark -j action Oops, redundant command in the commit message. I'll submit a v2 if we are happy with the rest of the patch. > iptables -t mangle -A action -m mark --mark 10 -j action2 > iptables -t mangle -A action -m mark --mark 11 -j action3 > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
