From 494eae37f2690be4a86fd6516264979afbfe95ca Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Wed, 6 Mar 2024 11:11:25 +0100 Subject: extensions: xt_socket: add txlate support for socket match v2: document the match semantics of -m socket. Ignore --nowildcard if used with other options when translating and add "wildcard 0" if the option is missing. "-m socket" will ignore sockets bound to 0.0.0.0/:: by default, unless --nowildcard is given. So, xlate must always append "wildcard 0", can elide "wildcard" if other options are present along with --nowildcard. To emulate "-m socket --nowildcard", check for "wildcard <= 1" to get a "socket exists" type matching. Signed-off-by: Florian Westphal Acked-by: Phil Sutter --- extensions/libxt_socket.txlate | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 extensions/libxt_socket.txlate (limited to 'extensions/libxt_socket.txlate') diff --git a/extensions/libxt_socket.txlate b/extensions/libxt_socket.txlate new file mode 100644 index 00000000..7731e42e --- /dev/null +++ b/extensions/libxt_socket.txlate @@ -0,0 +1,17 @@ +# old socket match, no options. Matches if sk can be found and it is not bound to 0.0.0.0/:: +iptables-translate -A INPUT -m socket +nft 'add rule ip filter INPUT socket wildcard 0 counter' + +iptables-translate -A INPUT -m socket --transparent +nft 'add rule ip filter INPUT socket wildcard 0 socket transparent 1 counter' + +# Matches if sk can be found. Doesn't matter as to what addess it is bound to. +# therefore, emulate "exists". +iptables-translate -A INPUT -m socket --nowildcard +nft 'add rule ip filter INPUT socket wildcard le 1 counter' + +iptables-translate -A INPUT -m socket --restore-skmark +nft 'add rule ip filter INPUT socket wildcard 0 meta mark set socket mark counter' + +iptables-translate -A INPUT -m socket --transparent --nowildcard --restore-skmark +nft 'add rule ip filter INPUT socket transparent 1 meta mark set socket mark counter' -- cgit v1.2.3