How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?

How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?

[Chen Linxuan]

I am trying to determine whether it is possible to achieve
functionality equivalent to iptables -m owner --socket-exist using
nft. From my understanding, the socket expression in nft does not seem
to directly allow for a simple check of whether a socket exists.

Could you please provide guidance or suggestions on how to achieve this in nft?

Best regards,
Chen Linxuan

Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?

[Sunny73Cr]

> iptables -m owner --socket-exist

You may be looking for 'meta skuid'; you'll need the user ID that 'owns' a 'service'. You can `cat /etc/passwd` to find this information. 'meta skuid' will match a packet that is destined to or sourced from a socket that is owned by the user id that you specify.

Try `su -l [username] -c "[executable path]"` to run a program as another user; if it does not do so already.

Regards,
sunny

Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?

[Chen Linxuan]

Sunny73Cr <Sunny73Cr@protonmail.com> 于2025年4月16日周三 04:24写道：
>
> > iptables -m owner --socket-exist
>
> You may be looking for 'meta skuid'; you'll need the user ID that 'owns' a 'service'. You can `cat /etc/passwd` to find this information. 'meta skuid' will match a packet that is destined to or sourced from a socket that is owned by the user id that you specify.

What if I want something like `iptables -A OUTPUT -m owner
--socket-exists -j LOG --log-prefix OWN_SOCKETS`?
I just want to check is there a local socket associated with the packet or not.

>
> Try `su -l [username] -c "[executable path]"` to run a program as another user; if it does not do so already.
>
> Regards,
> sunny
>
>

Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?

[Sunny73Cr]

> --socket-exists
> I just want to check is there a local socket associated with the packet or not.

Apologies; I have misunderstood what this flag does.
You could try:
`iptables -A FORWARD mark -j MARK --set-mark $FWD_TAG`
`iptables -A OUTPUT -m connmark --mark ! $FWD_TAG -j LOG --log-prefix OWN_SK`

Regards,
sunny

Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?

[Chen Linxuan]

Sunny73Cr <Sunny73Cr@protonmail.com> 于2025年4月17日周四 03:57写道：
>
> > --socket-exists
> > I just want to check is there a local socket associated with the packet or not.
>
> Apologies; I have misunderstood what this flag does.
> You could try:
> `iptables -A FORWARD mark -j MARK --set-mark $FWD_TAG`
> `iptables -A OUTPUT -m connmark --mark ! $FWD_TAG -j LOG --log-prefix OWN_SK`

I mean that I want a nft command equivalent to `iptables -A OUTPUT -m
owner --socket-exists -j LOG --log-prefix OWN_SOCKETS`.

Is the --socket-exist feature missing in nftable?

Best regards,
Chen Linxuan

>
> Regards,
> sunny
>
>

Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?

[Florian Westphal]

Chen Linxuan <chenlinxuan@uniontech.com> wrote:
> Is the --socket-exist feature missing in nftable?

meta skuid >= 0

Re: How to Achieve Functionality Equivalent to iptables -m owner --socket-exist in nft?

[Chen Linxuan]

Florian Westphal <fw@strlen.de> 于2025年4月21日周一 21:28写道：
> meta skuid >= 0

Aha, thank you!