From 9ea0401e385e1dd3f1579a4e772aa876a5e21288 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Eckl?= <ecklm94@gmail.com>
Date: Wed, 1 Aug 2018 20:09:22 +0200
Subject: src: Expose socket mark via socket expression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This can be used like ct mark or meta mark except it cannot be set. doc
and tests are included.

Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/primary-expression.txt | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'doc')

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 50093b49..88ea7edf 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -143,6 +143,7 @@ or non-zero bound listening socket (possibly with a non-local address).
 |transparent|
 Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
 boolean (1 bit)
+|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
 |==================
 
 .Using socket expression
@@ -154,6 +155,22 @@ table inet x {
         socket transparent 1 mark set 0x00000001 accept
     }
 }
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        socket mark 0x0000000f nftrace set 1
+    }
+}
+
+# Set packet mark to socket mark
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        tcp dport 8080 mark set socket mark
+    }
+}
 ----------------------
 
 FIB EXPRESSIONS
-- 
cgit v1.2.3