diff options
| author | Harout Hedeshian <harouth@codeaurora.org> | 2015-06-15 18:41:19 -0600 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2015-07-29 07:54:07 +0000 |
| commit | de2fa7133374831bcb5080a43e567e2e41f84ee7 (patch) | |
| tree | b201af9b3832b3667d384fc2145d4255d42537aa /extensions/libxt_tcp.c | |
| parent | fbb436cf1271a2868f5c55009bb8bf044a6aa809 (diff) | |
| download | android_external_iptables-de2fa7133374831bcb5080a43e567e2e41f84ee7.tar.gz android_external_iptables-de2fa7133374831bcb5080a43e567e2e41f84ee7.tar.bz2 android_external_iptables-de2fa7133374831bcb5080a43e567e2e41f84ee7.zip | |
extensions: libxt_socket: add --restore-skmark option
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.
Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.
Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.
iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Bug: 20663075
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 3b20fc71c99acd604d635deacef99769e36191b5)
Change-Id: If746841dea9db9f1c7ad1d74ed37fa13109e37ff
Diffstat (limited to 'extensions/libxt_tcp.c')
0 files changed, 0 insertions, 0 deletions