From 9ea0401e385e1dd3f1579a4e772aa876a5e21288 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Eckl?= <ecklm94@gmail.com>
Date: Wed, 1 Aug 2018 20:09:22 +0200
Subject: src: Expose socket mark via socket expression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This can be used like ct mark or meta mark except it cannot be set. doc
and tests are included.

Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/primary-expression.txt          | 17 +++++++++++++++++
 include/linux/netfilter/nf_tables.h |  5 +++--
 src/evaluate.c                      |  6 +++++-
 src/parser_bison.y                  |  4 +++-
 src/parser_json.c                   |  2 ++
 src/socket.c                        | 17 ++++++++++++-----
 tests/py/inet/socket.t              |  2 ++
 tests/py/inet/socket.t.json         | 14 ++++++++++++++
 tests/py/inet/socket.t.payload      | 15 +++++++++++++++
 9 files changed, 73 insertions(+), 9 deletions(-)

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 50093b49..88ea7edf 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -143,6 +143,7 @@ or non-zero bound listening socket (possibly with a non-local address).
 |transparent|
 Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
 boolean (1 bit)
+|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
 |==================
 
 .Using socket expression
@@ -154,6 +155,22 @@ table inet x {
         socket transparent 1 mark set 0x00000001 accept
     }
 }
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        socket mark 0x0000000f nftrace set 1
+    }
+}
+
+# Set packet mark to socket mark
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        tcp dport 8080 mark set socket mark
+    }
+}
 ----------------------
 
 FIB EXPRESSIONS
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index d98cebb0..ea374ae6 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -923,11 +923,12 @@ enum nft_socket_attributes {
 /*
  * enum nft_socket_keys - nf_tables socket expression keys
  *
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
  */
 enum nft_socket_keys {
 	NFT_SOCKET_TRANSPARENT,
-
+	NFT_SOCKET_MARK,
 	__NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
diff --git a/src/evaluate.c b/src/evaluate.c
index da95cdf9..b793c125 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1715,8 +1715,12 @@ static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp)
 
 static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
 {
+	int maxval = 0;
+
+	if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT)
+		maxval = 1;
 	__expr_set_context(&ctx->ectx, (*expr)->dtype, (*expr)->byteorder,
-			   (*expr)->len, 1);
+			   (*expr)->len, maxval);
 	return 0;
 }
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index fe3c10ba..827b0580 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2531,6 +2531,7 @@ primary_stmt_expr	:	symbol_expr		{ $$ = $1; }
 			|	hash_expr               { $$ = $1; }
 			|	payload_expr		{ $$ = $1; }
 			|	keyword_expr		{ $$ = $1; }
+			|	socket_expr		{ $$ = $1; }
 			;
 
 shift_stmt_expr		:	primary_stmt_expr
@@ -3618,7 +3619,8 @@ socket_expr		:	SOCKET	socket_key
 			}
 			;
 
-socket_key 		: TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+socket_key 		: 	TRANSPARENT	{ $$ = NFT_SOCKET_TRANSPARENT; }
+			|	MARK		{ $$ = NFT_SOCKET_MARK; }
 			;
 
 offset_opt		:	/* empty */	{ $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8f29aaf7..80364d97 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -358,6 +358,8 @@ static struct expr *json_parse_socket_expr(struct json_ctx *ctx,
 
 	if (!strcmp(key, "transparent"))
 		keyval = NFT_SOCKET_TRANSPARENT;
+	else if (!strcmp(key, "mark"))
+		keyval = NFT_SOCKET_MARK;
 
 	if (keyval == -1) {
 		json_error(ctx, "Invalid socket key value.");
diff --git a/src/socket.c b/src/socket.c
index 7cfe5a9d..d90b0416 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -14,11 +14,18 @@
 #include <json.h>
 
 const struct socket_template socket_templates[] = {
-	[NFT_SOCKET_TRANSPARENT]	= {.token = "transparent",
-					   .dtype = &integer_type,
-					   .len = BITS_PER_BYTE,
-					   .byteorder = BYTEORDER_HOST_ENDIAN,
-					  }
+	[NFT_SOCKET_TRANSPARENT] = {
+		.token		= "transparent",
+		.dtype		= &integer_type,
+		.len		= BITS_PER_BYTE,
+		.byteorder	= BYTEORDER_HOST_ENDIAN,
+	},
+	[NFT_SOCKET_MARK] = {
+		.token		= "mark",
+		.dtype		= &mark_type,
+		.len		= 4 * BITS_PER_BYTE,
+		.byteorder	= BYTEORDER_HOST_ENDIAN,
+	},
 };
 
 static void socket_expr_print(const struct expr *expr, struct output_ctx *octx)
diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
index 8edfa78d..91846e8e 100644
--- a/tests/py/inet/socket.t
+++ b/tests/py/inet/socket.t
@@ -7,3 +7,5 @@
 socket transparent 0;ok
 socket transparent 1;ok
 socket transparent 2;fail
+
+socket mark 0x00000005;ok
diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json
index c1ac1d12..235c3e94 100644
--- a/tests/py/inet/socket.t.json
+++ b/tests/py/inet/socket.t.json
@@ -26,3 +26,17 @@
     }
 ]
 
+# socket mark 0x00000005
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "mark"
+                }
+            },
+            "right": 5
+        }
+    }
+]
+
diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload
index acad2ace..687b7a45 100644
--- a/tests/py/inet/socket.t.payload
+++ b/tests/py/inet/socket.t.payload
@@ -28,3 +28,18 @@ inet sockin sockchain
   [ socket load transparent => reg 1 ]
   [ cmp eq reg 1 0x00000001 ]
 
+# socket mark 0x00000005
+ip sockip4 sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+ip6 sockip6 sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+inet sockin sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
-- 
cgit v1.2.3