It can be used like ct mark or meta mark except it cannot be set.
doc and tests are included.

Signed-off-by: Máté Eckl <eckl...@gmail.com>
---
v2:
 - doc: remove 0 retval when there's no match

 doc/nft.xml                         | 23 +++++++++++++++++++++++
 include/linux/netfilter/nf_tables.h |  5 +++--
 src/evaluate.c                      |  6 +++++-
 src/parser_bison.y                  |  2 ++
 src/parser_json.c                   |  2 ++
 src/socket.c                        |  8 +++++++-
 tests/py/inet/socket.t              |  2 ++
 tests/py/inet/socket.t.json         | 14 ++++++++++++++
 tests/py/inet/socket.t.payload      | 15 +++++++++++++++
 9 files changed, 73 insertions(+), 4 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 190a8ee..c122e8e 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3058,6 +3058,13 @@ raw prerouting meta secpath exists accept
                                                                </entry>
                                                                <entry>boolean 
(1 bit)</entry> <!-- From the aspect of the user at least. -->
                                                        </row>
+                                                       <row>
+                                                               
<entry>mark</entry>
+                                                               <entry>
+                                                                       Value 
of the socket mark (SOL_SOCKET, SO_MARK).
+                                                               </entry>
+                                                               
<entry>mark</entry>
+                                                       </row>
                                                </tbody>
                                        </tgroup>
                                </table>
@@ -3073,6 +3080,22 @@ table inet x {
         socket transparent 1 mark set 0x00000001 accept
     }
 }
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        socket mark 0x0000000f nftrace set 1
+    }
+}
+
+# Set packet mark to socket mark
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        tcp dport 8080 mark set socket mark
+    }
+}
                                        </programlisting>
                                </example>
                        </para>
diff --git a/include/linux/netfilter/nf_tables.h 
b/include/linux/netfilter/nf_tables.h
index 88e0ca1..ad42d05 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -923,11 +923,12 @@ enum nft_socket_attributes {
 /*
  * enum nft_socket_keys - nf_tables socket expression keys
  *
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
  */
 enum nft_socket_keys {
        NFT_SOCKET_TRANSPARENT,
-
+       NFT_SOCKET_MARK,
        __NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/src/evaluate.c b/src/evaluate.c
index 61cdff0..2b0e6fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1719,8 +1719,12 @@ static int expr_evaluate_meta(struct eval_ctx *ctx, 
struct expr **exprp)
 
 static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
 {
+       int maxval = 0;
+
+       if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT)
+               maxval = 1;
        __expr_set_context(&ctx->ectx, (*expr)->dtype, (*expr)->byteorder,
-                          (*expr)->len, 1);
+                          (*expr)->len, maxval);
        return 0;
 }
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..0ee2ebd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2487,6 +2487,7 @@ primary_stmt_expr :       symbol_expr             { $$ = 
$1; }
                        |       hash_expr               { $$ = $1; }
                        |       payload_expr            { $$ = $1; }
                        |       keyword_expr            { $$ = $1; }
+                       |       socket_expr                     { $$ = $1; }
                        ;
 
 shift_stmt_expr                :       primary_stmt_expr
@@ -3575,6 +3576,7 @@ socket_expr               :       SOCKET  socket_key
                        ;
 
 socket_key             : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+                       |       MARK { $$ = NFT_SOCKET_MARK; }
                        ;
 
 offset_opt             :       /* empty */     { $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8f29aaf..80364d9 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -358,6 +358,8 @@ static struct expr *json_parse_socket_expr(struct json_ctx 
*ctx,
 
        if (!strcmp(key, "transparent"))
                keyval = NFT_SOCKET_TRANSPARENT;
+       else if (!strcmp(key, "mark"))
+               keyval = NFT_SOCKET_MARK;
 
        if (keyval == -1) {
                json_error(ctx, "Invalid socket key value.");
diff --git a/src/socket.c b/src/socket.c
index 7cfe5a9..c963699 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -18,7 +18,13 @@ const struct socket_template socket_templates[] = {
                                           .dtype = &integer_type,
                                           .len = BITS_PER_BYTE,
                                           .byteorder = BYTEORDER_HOST_ENDIAN,
-                                         }
+                                         },
+       [NFT_SOCKET_MARK]               = {
+                                          .token = "mark",
+                                          .dtype = &mark_type,
+                                          .len = 4 * BITS_PER_BYTE,
+                                          .byteorder = BYTEORDER_HOST_ENDIAN,
+                                         },
 };
 
 static void socket_expr_print(const struct expr *expr, struct output_ctx *octx)
diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
index 8edfa78..91846e8 100644
--- a/tests/py/inet/socket.t
+++ b/tests/py/inet/socket.t
@@ -7,3 +7,5 @@
 socket transparent 0;ok
 socket transparent 1;ok
 socket transparent 2;fail
+
+socket mark 0x00000005;ok
diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json
index c1ac1d1..235c3e9 100644
--- a/tests/py/inet/socket.t.json
+++ b/tests/py/inet/socket.t.json
@@ -26,3 +26,17 @@
     }
 ]
 
+# socket mark 0x00000005
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "mark"
+                }
+            },
+            "right": 5
+        }
+    }
+]
+
diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload
index acad2ac..687b7a4 100644
--- a/tests/py/inet/socket.t.payload
+++ b/tests/py/inet/socket.t.payload
@@ -28,3 +28,18 @@ inet sockin sockchain
   [ socket load transparent => reg 1 ]
   [ cmp eq reg 1 0x00000001 ]
 
+# socket mark 0x00000005
+ip sockip4 sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+ip6 sockip6 sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+inet sockin sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to