* How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?
@ 2025-04-15 6:52 Chen Linxuan
2025-04-15 20:24 ` Sunny73Cr
0 siblings, 1 reply; 7+ messages in thread
From: Chen Linxuan @ 2025-04-15 6:52 UTC (permalink / raw)
To: netfilter
I am trying to determine whether it is possible to achieve
functionality equivalent to iptables -m owner --socket-exist using
nft. From my understanding, the socket expression in nft does not seem
to directly allow for a simple check of whether a socket exists.
Could you please provide guidance or suggestions on how to achieve this in nft?
Best regards,
Chen Linxuan
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?
2025-04-15 6:52 How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft? Chen Linxuan
@ 2025-04-15 20:24 ` Sunny73Cr
2025-04-16 1:43 ` Chen Linxuan
0 siblings, 1 reply; 7+ messages in thread
From: Sunny73Cr @ 2025-04-15 20:24 UTC (permalink / raw)
To: Chen Linxuan; +Cc: netfilter
> iptables -m owner --socket-exist
You may be looking for 'meta skuid'; you'll need the user ID that 'owns' a 'service'. You can `cat /etc/passwd` to find this information. 'meta skuid' will match a packet that is destined to or sourced from a socket that is owned by the user id that you specify.
Try `su -l [username] -c "[executable path]"` to run a program as another user; if it does not do so already.
Regards,
sunny
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?
2025-04-15 20:24 ` Sunny73Cr
@ 2025-04-16 1:43 ` Chen Linxuan
2025-04-16 19:56 ` Sunny73Cr
0 siblings, 1 reply; 7+ messages in thread
From: Chen Linxuan @ 2025-04-16 1:43 UTC (permalink / raw)
To: Sunny73Cr; +Cc: Chen Linxuan, netfilter
Sunny73Cr <Sunny73Cr@protonmail.com> 于2025年4月16日周三 04:24写道:
>
> > iptables -m owner --socket-exist
>
> You may be looking for 'meta skuid'; you'll need the user ID that 'owns' a 'service'. You can `cat /etc/passwd` to find this information. 'meta skuid' will match a packet that is destined to or sourced from a socket that is owned by the user id that you specify.
What if I want something like `iptables -A OUTPUT -m owner
--socket-exists -j LOG --log-prefix OWN_SOCKETS`?
I just want to check is there a local socket associated with the packet or not.
>
> Try `su -l [username] -c "[executable path]"` to run a program as another user; if it does not do so already.
>
> Regards,
> sunny
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?
2025-04-16 1:43 ` Chen Linxuan
@ 2025-04-16 19:56 ` Sunny73Cr
2025-04-18 2:29 ` Chen Linxuan
0 siblings, 1 reply; 7+ messages in thread
From: Sunny73Cr @ 2025-04-16 19:56 UTC (permalink / raw)
To: Chen Linxuan; +Cc: netfilter
> --socket-exists
> I just want to check is there a local socket associated with the packet or not.
Apologies; I have misunderstood what this flag does.
You could try:
`iptables -A FORWARD mark -j MARK --set-mark $FWD_TAG`
`iptables -A OUTPUT -m connmark --mark ! $FWD_TAG -j LOG --log-prefix OWN_SK`
Regards,
sunny
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?
2025-04-16 19:56 ` Sunny73Cr
@ 2025-04-18 2:29 ` Chen Linxuan
2025-04-21 13:27 ` Florian Westphal
0 siblings, 1 reply; 7+ messages in thread
From: Chen Linxuan @ 2025-04-18 2:29 UTC (permalink / raw)
To: Sunny73Cr; +Cc: Chen Linxuan, netfilter
Sunny73Cr <Sunny73Cr@protonmail.com> 于2025年4月17日周四 03:57写道:
>
> > --socket-exists
> > I just want to check is there a local socket associated with the packet or not.
>
> Apologies; I have misunderstood what this flag does.
> You could try:
> `iptables -A FORWARD mark -j MARK --set-mark $FWD_TAG`
> `iptables -A OUTPUT -m connmark --mark ! $FWD_TAG -j LOG --log-prefix OWN_SK`
I mean that I want a nft command equivalent to `iptables -A OUTPUT -m
owner --socket-exists -j LOG --log-prefix OWN_SOCKETS`.
Is the --socket-exist feature missing in nftable?
Best regards,
Chen Linxuan
>
> Regards,
> sunny
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?
2025-04-18 2:29 ` Chen Linxuan
@ 2025-04-21 13:27 ` Florian Westphal
2025-04-22 1:59 ` Chen Linxuan
0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2025-04-21 13:27 UTC (permalink / raw)
To: Chen Linxuan; +Cc: Sunny73Cr, netfilter
Chen Linxuan <chenlinxuan@uniontech.com> wrote:
> Is the --socket-exist feature missing in nftable?
meta skuid >= 0
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?
2025-04-21 13:27 ` Florian Westphal
@ 2025-04-22 1:59 ` Chen Linxuan
0 siblings, 0 replies; 7+ messages in thread
From: Chen Linxuan @ 2025-04-22 1:59 UTC (permalink / raw)
To: Florian Westphal; +Cc: Chen Linxuan, Sunny73Cr, netfilter
Florian Westphal <fw@strlen.de> 于2025年4月21日周一 21:28写道:
> meta skuid >= 0
Aha, thank you!
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-04-22 2:00 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-15 6:52 How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft? Chen Linxuan
2025-04-15 20:24 ` Sunny73Cr
2025-04-16 1:43 ` Chen Linxuan
2025-04-16 19:56 ` Sunny73Cr
2025-04-18 2:29 ` Chen Linxuan
2025-04-21 13:27 ` Florian Westphal
2025-04-22 1:59 ` Chen Linxuan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.