diff options
| author | Harout Hedeshian <harouth@codeaurora.org> | 2015-08-21 19:23:02 -0600 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2015-10-06 03:30:27 -0600 |
| commit | ac06e5223ab5ed1462d6c8346b2eaba207f449b7 (patch) | |
| tree | 8624cfdbadbc0729d2ba4e11feae6b032a16027d /extensions/libipt_REJECT.c | |
| parent | 29e08c5a8a9afca125b2c4ca9803add4f86a6e14 (diff) | |
| download | android_external_iptables-ac06e5223ab5ed1462d6c8346b2eaba207f449b7.tar.gz android_external_iptables-ac06e5223ab5ed1462d6c8346b2eaba207f449b7.tar.bz2 android_external_iptables-ac06e5223ab5ed1462d6c8346b2eaba207f449b7.zip | |
extensions: libxt_socket: add --restore-skmark option
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.
Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.
Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.
iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Change-Id: I962e87f32c241cb8d056dfd62f296fa312b05162
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libipt_REJECT.c')
0 files changed, 0 insertions, 0 deletions