* [PATCH iptables] extensions: libxt_socket: update man pages and tests for --restore-skmark
@ 2015-07-13 16:01 Harout Hedeshian
2015-07-15 16:42 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Harout Hedeshian @ 2015-07-13 16:01 UTC (permalink / raw)
To: netfilter-devel; +Cc: Harout Hedeshian
Update the man pages for libxt_socket with a description and example
usage of the --restore-skmark option.
Also added tests for libxt_socket with various combinations of
--restore-skmark and the existing options.
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
---
extensions/libxt_socket.man | 14 ++++++++++++++
extensions/libxt_socket.t | 4 ++++
2 files changed, 18 insertions(+)
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 2ef32ce..f809df6 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -20,3 +20,17 @@ option instead.
Example (assuming packets with mark 1 are delivered locally):
.IP
\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
+.TP
+\fB\-\-restore\-skmark\fP
+Set the packet mark to the matching socket's mark. Can be combined with the
+\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets
+to be matched when restoring the packet mark.
+.PP
+Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and
+sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets:
+.IP
+\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action
+.IP
+\-t mangle \-A action \-m mark \-\-mark 10 \-j action2
+.IP
+\-t mangle \-A action \-m mark \-\-mark 11 \-j action3
diff --git a/extensions/libxt_socket.t b/extensions/libxt_socket.t
index 8c0036e..fe4eb3e 100644
--- a/extensions/libxt_socket.t
+++ b/extensions/libxt_socket.t
@@ -2,3 +2,7 @@
*mangle
-m socket;=;OK
-m socket --transparent --nowildcard;=;OK
+-m socket --transparent --nowildcard --restore-skmark;=;OK
+-m socket --transparent --restore-skmark;=;OK
+-m socket --nowildcard --restore-skmark;=;OK
+-m socket --restore-skmark;=;OK
--
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH iptables] extensions: libxt_socket: update man pages and tests for --restore-skmark
2015-07-13 16:01 [PATCH iptables] extensions: libxt_socket: update man pages and tests for --restore-skmark Harout Hedeshian
@ 2015-07-15 16:42 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2015-07-15 16:42 UTC (permalink / raw)
To: Harout Hedeshian; +Cc: netfilter-devel
On Mon, Jul 13, 2015 at 10:01:30AM -0600, Harout Hedeshian wrote:
> Update the man pages for libxt_socket with a description and example
> usage of the --restore-skmark option.
>
> Also added tests for libxt_socket with various combinations of
> --restore-skmark and the existing options.
Applied, thanks Harout.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-07-15 16:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-13 16:01 [PATCH iptables] extensions: libxt_socket: update man pages and tests for --restore-skmark Harout Hedeshian
2015-07-15 16:42 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).