On Mon, Jun 15, 2015 at 06:41:19PM -0600, Harout Hedeshian wrote: > xt_socket is useful for matching sockets with IP_TRANSPARENT and > taking some action on the matching packets. However, it lacks the > ability to match only a small subset of transparent sockets. > > Suppose there are 2 applications, each with its own set of transparent > sockets. The first application wants all matching packets dropped, > while the second application wants them forwarded somewhere else. > > Add the ability to retore the skb->mark from the sk_mark. The mark > is only restored if a matching socket is found and the transparent / > nowildcard conditions are satisfied. > > Now the 2 hypothetical applications can differentiate their sockets > based on a mark value set with SO_MARK. > > iptables -t mangle -I PREROUTING -m socket --transparent \ > --restore-skmark -j action > iptables -t mangle -I PREROUTING -m socket --transparent \ > --restore-skmark -j action > iptables -t mangle -A action -m mark --mark 10 -j action2 > iptables -t mangle -A action -m mark --mark 11 -j action3 Applied, thanks. It would be great if you can send me another patch to update the manpage and the libxt_socket.t test file. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html