It can be used like ct mark or meta mark except it cannot be set.
doc and tests are included.
Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx>
---
v2:
- doc: remove 0 retval when there's no match
v3:
- Convert doc to asciidoc
doc/primary-expression.txt | 17 +++++++++++++++++
include/linux/netfilter/nf_tables.h | 5 +++--
src/evaluate.c | 6 +++++-
src/parser_bison.y | 2 ++
src/parser_json.c | 2 ++
src/socket.c | 8 +++++++-
tests/py/inet/socket.t | 2 ++
tests/py/inet/socket.t.json | 14 ++++++++++++++
tests/py/inet/socket.t.payload | 15 +++++++++++++++
9 files changed, 67 insertions(+), 4 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 162f32f..94c6996 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -136,6 +136,7 @@ Socket expression can be used to search for an existing open TCP/UDP socket and
|transparent|
Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
boolean (1 bit)
+|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
|==================
.Using socket expression
@@ -147,6 +148,22 @@ table inet x {
socket transparent 1 mark set 0x00000001 accept
}
}
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+ chain y {
+ type filter hook prerouting priority -150; policy accept;
+ socket mark 0x0000000f nftrace set 1
+ }
+}
+
+# Set packet mark to socket mark
+table inet x {
+ chain y {
+ type filter hook prerouting priority -150; policy accept;
+ tcp dport 8080 mark set socket mark
+ }
+}
----------------------
FIB EXPRESSIONS
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 88e0ca1..ad42d05 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -923,11 +923,12 @@ enum nft_socket_attributes {
/*
* enum nft_socket_keys - nf_tables socket expression keys
*
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
*/
enum nft_socket_keys {
NFT_SOCKET_TRANSPARENT,
-
+ NFT_SOCKET_MARK,
__NFT_SOCKET_MAX
};
#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/src/evaluate.c b/src/evaluate.c
index 61cdff0..2b0e6fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1719,8 +1719,12 @@ static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp)
static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
{
+ int maxval = 0;
+
+ if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT)
+ maxval = 1;
__expr_set_context(&ctx->ectx, (*expr)->dtype, (*expr)->byteorder,
- (*expr)->len, 1);
+ (*expr)->len, maxval);
return 0;
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..0ee2ebd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2487,6 +2487,7 @@ primary_stmt_expr : symbol_expr { $$ = $1; }
| hash_expr { $$ = $1; }
| payload_expr { $$ = $1; }
| keyword_expr { $$ = $1; }
+ | socket_expr { $$ = $1; }
;
shift_stmt_expr : primary_stmt_expr
@@ -3575,6 +3576,7 @@ socket_expr : SOCKET socket_key
;
socket_key : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+ | MARK { $$ = NFT_SOCKET_MARK; }
;
offset_opt : /* empty */ { $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8f29aaf..80364d9 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -358,6 +358,8 @@ static struct expr *json_parse_socket_expr(struct json_ctx *ctx,
if (!strcmp(key, "transparent"))
keyval = NFT_SOCKET_TRANSPARENT;
+ else if (!strcmp(key, "mark"))
+ keyval = NFT_SOCKET_MARK;
if (keyval == -1) {
json_error(ctx, "Invalid socket key value.");
diff --git a/src/socket.c b/src/socket.c
index 7cfe5a9..c963699 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -18,7 +18,13 @@ const struct socket_template socket_templates[] = {
.dtype = &integer_type,
.len = BITS_PER_BYTE,
.byteorder = BYTEORDER_HOST_ENDIAN,
- }
+ },
+ [NFT_SOCKET_MARK] = {
+ .token = "mark",
+ .dtype = &mark_type,
+ .len = 4 * BITS_PER_BYTE,
+ .byteorder = BYTEORDER_HOST_ENDIAN,
+ },
};
static void socket_expr_print(const struct expr *expr, struct output_ctx *octx)
diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
index 8edfa78..91846e8 100644
--- a/tests/py/inet/socket.t
+++ b/tests/py/inet/socket.t
@@ -7,3 +7,5 @@
socket transparent 0;ok
socket transparent 1;ok
socket transparent 2;fail
+
+socket mark 0x00000005;ok
diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json
index c1ac1d1..235c3e9 100644
--- a/tests/py/inet/socket.t.json
+++ b/tests/py/inet/socket.t.json
@@ -26,3 +26,17 @@
}
]
+# socket mark 0x00000005
+[
+ {
+ "match": {
+ "left": {
+ "socket": {
+ "key": "mark"
+ }
+ },
+ "right": 5
+ }
+ }
+]
+
diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload
index acad2ac..687b7a4 100644
--- a/tests/py/inet/socket.t.payload
+++ b/tests/py/inet/socket.t.payload
@@ -28,3 +28,18 @@ inet sockin sockchain
[ socket load transparent => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
+# socket mark 0x00000005
+ip sockip4 sockchain
+ [ socket load mark => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+ip6 sockip6 sockchain
+ [ socket load mark => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+inet sockin sockchain
+ [ socket load mark => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
+
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
