Re: [PATCH iptables] xt_socket: add --restore-skmark option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 15, 2015 at 06:41:19PM -0600, Harout Hedeshian wrote:
> xt_socket is useful for matching sockets with IP_TRANSPARENT and
> taking some action on the matching packets. However, it lacks the
> ability to match only a small subset of transparent sockets.
> 
> Suppose there are 2 applications, each with its own set of transparent
> sockets. The first application wants all matching packets dropped,
> while the second application wants them forwarded somewhere else.
> 
> Add the ability to retore the skb->mark from the sk_mark. The mark
> is only restored if a matching socket is found and the transparent /
> nowildcard conditions are satisfied.
> 
> Now the 2 hypothetical applications can differentiate their sockets
> based on a mark value set with SO_MARK.
> 
> iptables -t mangle -I PREROUTING -m socket --transparent \
>                                            --restore-skmark -j action
> iptables -t mangle -I PREROUTING -m socket --transparent \
>                                            --restore-skmark -j action
> iptables -t mangle -A action -m mark --mark 10 -j action2
> iptables -t mangle -A action -m mark --mark 11 -j action3

Applied, thanks.

It would be great if you can send me another patch to update the
manpage and the libxt_socket.t test file.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux