diff options
author | Máté Eckl <ecklm94@gmail.com> | 2018-05-31 20:06:16 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-06 19:43:00 +0200 |
commit | a02f8c3f6456e9a84a6c3117f2539376b152ba1f (patch) | |
tree | 80182a1faab00aa8ff43891da49ac0a62dacd136 /src/netlink_linearize.c | |
parent | 30d45266bf38b209df33e4df1a116c60531ae3e5 (diff) |
src: Introduce socket matching
For now it can only match sockets with IP(V6)_TRANSPARENT socket option
set. Example:
table inet sockin {
chain sockchain {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 mark set 0x00000001 nftrace set 1 counter packets 9 bytes 504 accept
}
}
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_linearize.c')
-rw-r--r-- | src/netlink_linearize.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 2aadc1ee..8471e837 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -207,6 +207,18 @@ static void netlink_gen_rt(struct netlink_linearize_ctx *ctx, nftnl_rule_add_expr(ctx->nlr, nle); } +static void netlink_gen_socket(struct netlink_linearize_ctx *ctx, + const struct expr *expr, + enum nft_registers dreg) +{ + struct nftnl_expr *nle; + + nle = alloc_nft_expr("socket"); + netlink_put_register(nle, NFTNL_EXPR_SOCKET_DREG, dreg); + nftnl_expr_set_u32(nle, NFTNL_EXPR_SOCKET_KEY, expr->socket.key); + nftnl_rule_add_expr(ctx->nlr, nle); +} + static void netlink_gen_numgen(struct netlink_linearize_ctx *ctx, const struct expr *expr, enum nft_registers dreg) @@ -694,6 +706,8 @@ static void netlink_gen_expr(struct netlink_linearize_ctx *ctx, return netlink_gen_hash(ctx, expr, dreg); case EXPR_FIB: return netlink_gen_fib(ctx, expr, dreg); + case EXPR_SOCKET: + return netlink_gen_socket(ctx, expr, dreg); default: BUG("unknown expression type %s\n", expr->ops->name); } |