From: Balazs Scheidler <bazsi77@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: Balazs Scheidler <bazsi77@gmail.com>
Subject: [PATCH nftables v2 3/5] doc: added documentation on "socket wildcard"
Date: Sat, 29 Aug 2020 09:04:03 +0200 [thread overview]
Message-ID: <20200829070405.23636-4-bazsi77@gmail.com> (raw)
In-Reply-To: <20200829070405.23636-1-bazsi77@gmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
---
doc/primary-expression.txt | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index a9c39cbb..e87e8cc2 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -195,7 +195,7 @@ raw prerouting meta ipsec exists accept
SOCKET EXPRESSION
~~~~~~~~~~~~~~~~~
[verse]
-*socket* {*transparent* | *mark*}
+*socket* {*transparent* | *mark* | *wildcard*}
Socket expression can be used to search for an existing open TCP/UDP socket and
its attributes that can be associated with a packet. It looks for an established
@@ -209,15 +209,20 @@ or non-zero bound listening socket (possibly with a non-local address).
Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
boolean (1 bit)
|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
+|wildcard|
+Indicates whether the socket is wildcard-bound (e.g. 0.0.0.0 or ::0). |
+boolean (1 bit)
|==================
.Using socket expression
------------------------
-# Mark packets that correspond to a transparent socket
+# Mark packets that correspond to a transparent socket. "socket wildcard 0"
+# means that zero-bound listener sockets are NOT matched (which is usually
+# exactly what you want).
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
- socket transparent 1 mark set 0x00000001 accept
+ socket transparent 1 socket wildcard 0 mark set 0x00000001 accept
}
}
--
2.17.1
next prev parent reply other threads:[~2020-08-29 7:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-29 7:04 Balazs Scheidler
2020-08-29 7:04 ` [PATCH nftables v2 1/5] socket: add support for "wildcard" key Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 2/5] src/scanner.l: fix whitespace issue for the TRANSPARENT keyword Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` Balazs Scheidler [this message]
2020-08-29 11:17 ` [PATCH nftables v2 3/5] doc: added documentation on "socket wildcard" Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 4/5] tests: added "socket wildcard" testcases Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 5/5] tests: allow tests/monitor to use a custom nft executable Balazs Scheidler
2020-08-29 11:18 ` Pablo Neira Ayuso
2020-08-29 12:24 ` Stefano Brivio
2020-08-29 14:21 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200829070405.23636-4-bazsi77@gmail.com \
--to=bazsi77@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).