summaryrefslogtreecommitdiffstats
path: root/src/socket.c
Commit message (Collapse)AuthorAgeFilesLines
* socket: add support for "wildcard" keyBalazs Scheidler2020-08-291-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables had a "-m socket --transparent" which didn't match sockets that are bound to all addresses (e.g. 0.0.0.0 for ipv4, and ::0 for ipv6). It was possible to override this behavior by using --nowildcard, in which case it did match zero bound sockets as well. The issue is that nftables never included the wildcard check, so in effect it behaved like "iptables -m socket --transparent --nowildcard" with no means to exclude wildcarded listeners. This is a problem as a user-space process that binds to 0.0.0.0:<port> that enables IP_TRANSPARENT would effectively intercept traffic going in _any_ direction on the specific port, whereas in most cases, transparent proxies would only need this for one specific address. The solution is to add "socket wildcard" key to the nft_socket module, which makes it possible to match on the wildcardness of a socket from one's ruleset. This is how to use it: table inet haproxy { chain prerouting { type filter hook prerouting priority -150; policy accept; socket transparent 1 socket wildcard 0 mark set 0x00000001 } } This patch effectively depends on its counterpart in the kernel. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* socket: add parse and build userdata interfacePablo Neira Ayuso2019-12-171-0/+51
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: expr: remove expr_ops from struct exprFlorian Westphal2019-02-081-2/+2
| | | | | | | | size of struct expr changes from 144 to 128 bytes on x86_64. This doesn't look like much, but large rulesets can have tens of thousands of expressions (each set element is represented by an expression). Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Expose socket mark via socket expressionMáté Eckl2018-08-031-5/+12
| | | | | | | | This can be used like ct mark or meta mark except it cannot be set. doc and tests are included. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Add support for socket expressionPhil Sutter2018-06-111-0/+2
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Introduce socket matchingMáté Eckl2018-06-061-0/+56
For now it can only match sockets with IP(V6)_TRANSPARENT socket option set. Example: table inet sockin { chain sockchain { type filter hook prerouting priority -150; policy accept; socket transparent 1 mark set 0x00000001 nftrace set 1 counter packets 9 bytes 504 accept } } Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>