From: Balazs Scheidler <bazsi77@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: Balazs Scheidler <bazsi77@gmail.com>
Subject: [PATCH nftables v2 3/5] doc: added documentation on "socket wildcard"
Date: Sat, 29 Aug 2020 09:04:03 +0200 [thread overview]
Message-ID: <20200829070405.23636-4-bazsi77@gmail.com> (raw)
In-Reply-To: <20200829070405.23636-1-bazsi77@gmail.com>
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
---
doc/primary-expression.txt | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index a9c39cbb..e87e8cc2 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -195,7 +195,7 @@ raw prerouting meta ipsec exists accept
SOCKET EXPRESSION
~~~~~~~~~~~~~~~~~
[verse]
-*socket* {*transparent* | *mark*}
+*socket* {*transparent* | *mark* | *wildcard*}
Socket expression can be used to search for an existing open TCP/UDP socket and
its attributes that can be associated with a packet. It looks for an established
@@ -209,15 +209,20 @@ or non-zero bound listening socket (possibly with a non-local address).
Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.|
boolean (1 bit)
|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
+|wildcard|
+Indicates whether the socket is wildcard-bound (e.g. 0.0.0.0 or ::0). |
+boolean (1 bit)
|==================
.Using socket expression
------------------------
-# Mark packets that correspond to a transparent socket
+# Mark packets that correspond to a transparent socket. "socket wildcard 0"
+# means that zero-bound listener sockets are NOT matched (which is usually
+# exactly what you want).
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
- socket transparent 1 mark set 0x00000001 accept
+ socket transparent 1 socket wildcard 0 mark set 0x00000001 accept
}
}
--
2.17.1
next prev parent reply other threads:[~2020-08-29 7:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-29 7:04 Balazs Scheidler
2020-08-29 7:04 ` [PATCH nftables v2 1/5] socket: add support for "wildcard" key Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 2/5] src/scanner.l: fix whitespace issue for the TRANSPARENT keyword Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` Balazs Scheidler [this message]
2020-08-29 11:17 ` [PATCH nftables v2 3/5] doc: added documentation on "socket wildcard" Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 4/5] tests: added "socket wildcard" testcases Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 5/5] tests: allow tests/monitor to use a custom nft executable Balazs Scheidler
2020-08-29 11:18 ` Pablo Neira Ayuso
2020-08-29 12:24 ` Stefano Brivio
2020-08-29 14:21 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200829070405.23636-4-bazsi77@gmail.com \
--to=bazsi77@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.