From a02f8c3f6456e9a84a6c3117f2539376b152ba1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Eckl?= Date: Thu, 31 May 2018 20:06:16 +0200 Subject: src: Introduce socket matching MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For now it can only match sockets with IP(V6)_TRANSPARENT socket option set. Example: table inet sockin { chain sockchain { type filter hook prerouting priority -150; policy accept; socket transparent 1 mark set 0x00000001 nftrace set 1 counter packets 9 bytes 504 accept } } Signed-off-by: Máté Eckl Signed-off-by: Pablo Neira Ayuso --- src/netlink_linearize.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/netlink_linearize.c') diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 2aadc1ee..8471e837 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -207,6 +207,18 @@ static void netlink_gen_rt(struct netlink_linearize_ctx *ctx, nftnl_rule_add_expr(ctx->nlr, nle); } +static void netlink_gen_socket(struct netlink_linearize_ctx *ctx, + const struct expr *expr, + enum nft_registers dreg) +{ + struct nftnl_expr *nle; + + nle = alloc_nft_expr("socket"); + netlink_put_register(nle, NFTNL_EXPR_SOCKET_DREG, dreg); + nftnl_expr_set_u32(nle, NFTNL_EXPR_SOCKET_KEY, expr->socket.key); + nftnl_rule_add_expr(ctx->nlr, nle); +} + static void netlink_gen_numgen(struct netlink_linearize_ctx *ctx, const struct expr *expr, enum nft_registers dreg) @@ -694,6 +706,8 @@ static void netlink_gen_expr(struct netlink_linearize_ctx *ctx, return netlink_gen_hash(ctx, expr, dreg); case EXPR_FIB: return netlink_gen_fib(ctx, expr, dreg); + case EXPR_SOCKET: + return netlink_gen_socket(ctx, expr, dreg); default: BUG("unknown expression type %s\n", expr->ops->name); } -- cgit v1.2.3