path: root/extensions
diff options
authorFlorian Westphal <>2013-07-12 23:29:28 +0200
committerPablo Neira Ayuso <>2013-08-06 18:44:03 +0200
commitf0d75111d788b2424f543ff2246caa2dc980aa93 (patch)
tree78a95b273af4c280f85e85014182857ccf9777e2 /extensions
parent64d45792fe8f50294034bb699ff74ecae178e975 (diff)
extensions: libxt_socket: update man page
Document --nowildcard option and its implications when using -m socket to intercept packets. While at it, update man page with Balazs Scheidlers comments from nf_tproxy_core.h in kernel tree to better explain how lookup is performed. Cc: Eric Dumazet <> Signed-off-by: Florian Westphal <>
Diffstat (limited to 'extensions')
1 files changed, 19 insertions, 2 deletions
diff --git a/extensions/ b/extensions/
index 41e8d674..2ef32cec 100644
--- a/extensions/
+++ b/extensions/
@@ -1,5 +1,22 @@
-This matches if an open socket can be found by doing a socket lookup on the
+This matches if an open TCP/UDP socket can be found by doing a socket lookup on the
+packet. It matches if there is an established or non\-zero bound listening
+socket (possibly with a non\-local address). The lookup is performed using
+the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header
+\fBembedded\fP in an ICMP/ICPMv6 error packet.
Ignore non-transparent sockets.
+Do not ignore sockets bound to 'any' address.
+The socket match won't accept zero\-bound listeners by default, since
+then local services could intercept traffic that would otherwise be forwarded.
+This option therefore has security implications when used to match traffic being
+forwarded to redirect such packets to local machine with policy routing.
+When using the socket match to implement fully transparent
+proxies bound to non\-local addresses it is recommended to use the \-\-transparent
+option instead.
+Example (assuming packets with mark 1 are delivered locally):
+\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1