diff options
| -rw-r--r-- | doc/primary-expression.txt | 17 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 5 | ||||
| -rw-r--r-- | src/evaluate.c | 6 | ||||
| -rw-r--r-- | src/parser_bison.y | 4 | ||||
| -rw-r--r-- | src/parser_json.c | 2 | ||||
| -rw-r--r-- | src/socket.c | 17 | ||||
| -rw-r--r-- | tests/py/inet/socket.t | 2 | ||||
| -rw-r--r-- | tests/py/inet/socket.t.json | 14 | ||||
| -rw-r--r-- | tests/py/inet/socket.t.payload | 15 |
9 files changed, 73 insertions, 9 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 50093b49..88ea7edf 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -143,6 +143,7 @@ or non-zero bound listening socket (possibly with a non-local address). |transparent| Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.| boolean (1 bit) +|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark |================== .Using socket expression @@ -154,6 +155,22 @@ table inet x { socket transparent 1 mark set 0x00000001 accept } } + +# Trace packets that corresponds to a socket with a mark value of 15 +table inet x { + chain y { + type filter hook prerouting priority -150; policy accept; + socket mark 0x0000000f nftrace set 1 + } +} + +# Set packet mark to socket mark +table inet x { + chain y { + type filter hook prerouting priority -150; policy accept; + tcp dport 8080 mark set socket mark + } +} ---------------------- FIB EXPRESSIONS diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index d98cebb0..ea374ae6 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -923,11 +923,12 @@ enum nft_socket_attributes { /* * enum nft_socket_keys - nf_tables socket expression keys * - * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_ + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option + * @NFT_SOCKET_MARK: Value of the socket mark */ enum nft_socket_keys { NFT_SOCKET_TRANSPARENT, - + NFT_SOCKET_MARK, __NFT_SOCKET_MAX }; #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) diff --git a/src/evaluate.c b/src/evaluate.c index da95cdf9..b793c125 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1715,8 +1715,12 @@ static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp) static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr) { + int maxval = 0; + + if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT) + maxval = 1; __expr_set_context(&ctx->ectx, (*expr)->dtype, (*expr)->byteorder, - (*expr)->len, 1); + (*expr)->len, maxval); return 0; } diff --git a/src/parser_bison.y b/src/parser_bison.y index fe3c10ba..827b0580 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -2531,6 +2531,7 @@ primary_stmt_expr : symbol_expr { $$ = $1; } | hash_expr { $$ = $1; } | payload_expr { $$ = $1; } | keyword_expr { $$ = $1; } + | socket_expr { $$ = $1; } ; shift_stmt_expr : primary_stmt_expr @@ -3618,7 +3619,8 @@ socket_expr : SOCKET socket_key } ; -socket_key : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; } +socket_key : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; } + | MARK { $$ = NFT_SOCKET_MARK; } ; offset_opt : /* empty */ { $$ = 0; } diff --git a/src/parser_json.c b/src/parser_json.c index 8f29aaf7..80364d97 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -358,6 +358,8 @@ static struct expr *json_parse_socket_expr(struct json_ctx *ctx, if (!strcmp(key, "transparent")) keyval = NFT_SOCKET_TRANSPARENT; + else if (!strcmp(key, "mark")) + keyval = NFT_SOCKET_MARK; if (keyval == -1) { json_error(ctx, "Invalid socket key value."); diff --git a/src/socket.c b/src/socket.c index 7cfe5a9d..d90b0416 100644 --- a/src/socket.c +++ b/src/socket.c @@ -14,11 +14,18 @@ #include <json.h> const struct socket_template socket_templates[] = { - [NFT_SOCKET_TRANSPARENT] = {.token = "transparent", - .dtype = &integer_type, - .len = BITS_PER_BYTE, - .byteorder = BYTEORDER_HOST_ENDIAN, - } + [NFT_SOCKET_TRANSPARENT] = { + .token = "transparent", + .dtype = &integer_type, + .len = BITS_PER_BYTE, + .byteorder = BYTEORDER_HOST_ENDIAN, + }, + [NFT_SOCKET_MARK] = { + .token = "mark", + .dtype = &mark_type, + .len = 4 * BITS_PER_BYTE, + .byteorder = BYTEORDER_HOST_ENDIAN, + }, }; static void socket_expr_print(const struct expr *expr, struct output_ctx *octx) diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t index 8edfa78d..91846e8e 100644 --- a/tests/py/inet/socket.t +++ b/tests/py/inet/socket.t @@ -7,3 +7,5 @@ socket transparent 0;ok socket transparent 1;ok socket transparent 2;fail + +socket mark 0x00000005;ok diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json index c1ac1d12..235c3e94 100644 --- a/tests/py/inet/socket.t.json +++ b/tests/py/inet/socket.t.json @@ -26,3 +26,17 @@ } ] +# socket mark 0x00000005 +[ + { + "match": { + "left": { + "socket": { + "key": "mark" + } + }, + "right": 5 + } + } +] + diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload index acad2ace..687b7a45 100644 --- a/tests/py/inet/socket.t.payload +++ b/tests/py/inet/socket.t.payload @@ -28,3 +28,18 @@ inet sockin sockchain [ socket load transparent => reg 1 ] [ cmp eq reg 1 0x00000001 ] +# socket mark 0x00000005 +ip sockip4 sockchain + [ socket load mark => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + +# socket mark 0x00000005 +ip6 sockip6 sockchain + [ socket load mark => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + +# socket mark 0x00000005 +inet sockin sockchain + [ socket load mark => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + |