src: Expose socket mark via socket expression

This can be used like ct mark or meta mark except it cannot be set. doc and tests are included. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Máté Eckl <ecklm94@gmail.com> 2018-08-01 20:09:22 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-08-03 12:25:59 +0200
commit: 9ea0401e385e1dd3f1579a4e772aa876a5e21288 (patch)
tree: 44c88a4960fda27226bdd11b938d1a3871af1588 /doc
parent: 029d9b3c16ae2354b6397c325a8dc389c67d970b (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 50093b49..88ea7edf 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -143,6 +143,7 @@ or non-zero bound listening socket (possibly with a non-local address).
 |transparent|
 Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
 boolean (1 bit)
+|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
 |==================
 
 .Using socket expression
@@ -154,6 +155,22 @@ table inet x {
         socket transparent 1 mark set 0x00000001 accept
     }
 }
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        socket mark 0x0000000f nftrace set 1
+    }
+}
+
+# Set packet mark to socket mark
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        tcp dport 8080 mark set socket mark
+    }
+}
 ----------------------
 
 FIB EXPRESSIONS
author	Máté Eckl <ecklm94@gmail.com>	2018-08-01 20:09:22 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-03 12:25:59 +0200
commit	9ea0401e385e1dd3f1579a4e772aa876a5e21288 (patch)
tree	44c88a4960fda27226bdd11b938d1a3871af1588 /doc
parent	029d9b3c16ae2354b6397c325a8dc389c67d970b (diff)