From: Harout Hedeshian <harouth@codeaurora.org>
To: netfilter-devel@vger.kernel.org
Cc: Harout Hedeshian <harouth@codeaurora.org>
Subject: [PATCH iptables] extensions: libxt_socket: update man pages and tests for --restore-skmark
Date: Mon, 13 Jul 2015 10:01:30 -0600 [thread overview]
Message-ID: <1436803290-31561-1-git-send-email-harouth@codeaurora.org> (raw)
Update the man pages for libxt_socket with a description and example
usage of the --restore-skmark option.
Also added tests for libxt_socket with various combinations of
--restore-skmark and the existing options.
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
---
extensions/libxt_socket.man | 14 ++++++++++++++
extensions/libxt_socket.t | 4 ++++
2 files changed, 18 insertions(+)
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 2ef32ce..f809df6 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -20,3 +20,17 @@ option instead.
Example (assuming packets with mark 1 are delivered locally):
.IP
\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
+.TP
+\fB\-\-restore\-skmark\fP
+Set the packet mark to the matching socket's mark. Can be combined with the
+\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets
+to be matched when restoring the packet mark.
+.PP
+Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and
+sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets:
+.IP
+\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action
+.IP
+\-t mangle \-A action \-m mark \-\-mark 10 \-j action2
+.IP
+\-t mangle \-A action \-m mark \-\-mark 11 \-j action3
diff --git a/extensions/libxt_socket.t b/extensions/libxt_socket.t
index 8c0036e..fe4eb3e 100644
--- a/extensions/libxt_socket.t
+++ b/extensions/libxt_socket.t
@@ -2,3 +2,7 @@
*mangle
-m socket;=;OK
-m socket --transparent --nowildcard;=;OK
+-m socket --transparent --nowildcard --restore-skmark;=;OK
+-m socket --transparent --restore-skmark;=;OK
+-m socket --nowildcard --restore-skmark;=;OK
+-m socket --restore-skmark;=;OK
--
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project
next reply other threads:[~2015-07-13 16:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-13 16:01 Harout Hedeshian [this message]
2015-07-15 16:42 ` [PATCH iptables] extensions: libxt_socket: update man pages and tests for --restore-skmark Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1436803290-31561-1-git-send-email-harouth@codeaurora.org \
--to=harouth@codeaurora.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).