The following patches expose socket mark as part of the nft socket expression.
I have tested it with two setups:
1)
server:
# nft list ruleset
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
socket mark 0x0000000f nftrace set 1
}
}
# cat skmarktest.py
#!/usr/sbin/env python3
import socket
srv = socket.socket()
srv.bind(('192.0.2.3', 8080))
srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, True)
srv.setsockopt(socket.SOL_SOCKET, socket.SO_MARK, 15)
srv.listen()
sk = srv.accept()[0]
sk.send(b'kutya\n')
sk.close()
srv.close()
# ./skmarktest.py &
[1] 551
# nft monitor
trace id db73b26e inet x y packet: iif "enp0s8" ether saddr 0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr 192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 11622 ip protocol tcp ip length 60 tcp sport 46792 tcp dport 8080 tcp flags == 0xc2 tcp window 29200
trace id db73b26e inet x y rule socket mark 0x0000000f nftrace set 1 (verdict continue)
trace id db73b26e inet x y verdict continue
trace id db73b26e inet x y policy accept
trace id 9b0130d6 inet x y packet: iif "enp0s8" ether saddr 0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr 192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 11624 ip protocol tcp ip length 52 tcp sport 46792 tcp dport 8080 tcp flags == ack tcp window 229
trace id 9b0130d6 inet x y rule socket mark 0x0000000f nftrace set 1 (verdict continue)
trace id 9b0130d6 inet x y verdict continue
trace id 9b0130d6 inet x y policy accept
trace id 21301fc1 inet x y packet: iif "enp0s8" ether saddr 0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr 192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 11625 ip protocol tcp ip length 52 tcp sport 46792 tcp dport 8080 tcp flags == 0x11 tcp window 229
trace id 21301fc1 inet x y rule socket mark 0x0000000f nftrace set 1 (verdict continue)
trace id 21301fc1 inet x y verdict continue
trace id 21301fc1 inet x y policy accept
client:
$ telnet 192.0.2.3 8080
Trying 192.0.2.3...
Connected to 192.0.2.3.
Escape character is '^]'.
kutya
Connection closed by foreign host.
2)
server:
# nft list ruleset
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 8080 mark set socket mark mark 0x0000000f nftrace set 1 accept
}
}
# ./skmarktest.py &
[1] 551
# nft monitor
trace id baa7ac3c inet x y packet: iif "enp0s8" ether saddr 0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr 192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 57686 ip protocol tcp ip length 60 tcp sport 50308 tcp dport 8080 tcp flags == 0xc2 tcp window 29200
trace id baa7ac3c inet x y rule tcp dport 8080 mark set socket mark mark 0x0000000f nftrace set 1 accept (verdict accept)
trace id 806e8f4b inet x y packet: iif "enp0s8" ether saddr 0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr 192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 57688 ip protocol tcp ip length 52 tcp sport 50308 tcp dport 8080 tcp flags == ack tcp window 229
trace id 806e8f4b inet x y rule tcp dport 8080 mark set socket mark mark 0x0000000f nftrace set 1 accept (verdict accept)
trace id 655c0df4 inet x y packet: iif "enp0s8" ether saddr 0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr 192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 57689 ip protocol tcp ip length 52 tcp sport 50308 tcp dport 8080 tcp flags == 0x11 tcp window 229
trace id 655c0df4 inet x y rule tcp dport 8080 mark set socket mark mark 0x0000000f nftrace set 1 accept (verdict accept)
nft monitor does not print anything if I modify the socket mark in skmarktest.py
client:
The client side uses the same telnet command.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
