extensions: libxt_socket: update man pages and tests for --restore-skmark

Update the man pages for libxt_socket with a description and example
usage of the --restore-skmark option.

Also added tests for libxt_socket with various combinations of
--restore-skmark and the existing options.

Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 18 insertions, 0 deletions

diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 2ef32cec..f809df69 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -20,3 +20,17 @@ option instead.
 Example (assuming packets with mark 1 are delivered locally):
 .IP
 \-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
+.TP
+\fB\-\-restore\-skmark\fP
+Set the packet mark to the matching socket's mark. Can be combined with the
+\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets
+to be matched when restoring the packet mark.
+.PP
+Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and
+sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets:
+.IP
+\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action
+.IP
+\-t mangle \-A action \-m mark \-\-mark 10 \-j action2
+.IP
+\-t mangle \-A action \-m mark \-\-mark 11 \-j action3
diff --git a/extensions/libxt_socket.t b/extensions/libxt_socket.t
index 8c0036e2..fe4eb3e4 100644
--- a/extensions/libxt_socket.t
+++ b/extensions/libxt_socket.t
@@ -2,3 +2,7 @@
 *mangle
 -m socket;=;OK
 -m socket --transparent --nowildcard;=;OK
+-m socket --transparent --nowildcard --restore-skmark;=;OK
+-m socket --transparent --restore-skmark;=;OK
+-m socket --nowildcard --restore-skmark;=;OK
+-m socket --restore-skmark;=;OK