source-git / iptables

Clone
Source Code
GIT

Blame bootstrap_ver/extensions/libxt_socket.man

c8 c8s master
  1.   dd8e2bd7014ff0d97d7851c2ac646f58a69c1677
  2.   bootstrap_ver
  3.   extensions
  4.   libxt_socket.man
Blob History Raw
Packit Service dd8e2b 
This matches if an open TCP/UDP socket can be found by doing a socket lookup on the
Packit Service dd8e2b 
packet. It matches if there is an established or non\-zero bound listening
Packit Service dd8e2b 
socket (possibly with a non\-local address). The lookup is performed using
Packit Service dd8e2b 
the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header
Packit Service dd8e2b 
\fBembedded\fP in an ICMP/ICPMv6 error packet.
Packit Service dd8e2b 
.TP
Packit Service dd8e2b 
\fB\-\-transparent\fP
Packit Service dd8e2b 
Ignore non-transparent sockets.
Packit Service dd8e2b 
.TP
Packit Service dd8e2b 
\fB\-\-nowildcard\fP
Packit Service dd8e2b 
Do not ignore sockets bound to 'any' address.
Packit Service dd8e2b 
The socket match won't accept zero\-bound listeners by default, since
Packit Service dd8e2b 
then local services could intercept traffic that would otherwise be forwarded.
Packit Service dd8e2b 
This option therefore has security implications when used to match traffic being
Packit Service dd8e2b 
forwarded to redirect such packets to local machine with policy routing.
Packit Service dd8e2b 
When using the socket match to implement fully transparent
Packit Service dd8e2b 
proxies bound to non\-local addresses it is recommended to use the \-\-transparent
Packit Service dd8e2b 
option instead.
Packit Service dd8e2b 
.PP
Packit Service dd8e2b 
Example (assuming packets with mark 1 are delivered locally):
Packit Service dd8e2b 
.IP
Packit Service dd8e2b 
\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
Packit Service dd8e2b 
.TP
Packit Service dd8e2b 
\fB\-\-restore\-skmark\fP
Packit Service dd8e2b 
Set the packet mark to the matching socket's mark. Can be combined with the
Packit Service dd8e2b 
\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets
Packit Service dd8e2b 
to be matched when restoring the packet mark.
Packit Service dd8e2b 
.PP
Packit Service dd8e2b 
Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and
Packit Service dd8e2b 
sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets:
Packit Service dd8e2b 
.IP
Packit Service dd8e2b 
\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action
Packit Service dd8e2b 
.IP
Packit Service dd8e2b 
\-t mangle \-A action \-m mark \-\-mark 10 \-j action2
Packit Service dd8e2b 
.IP
Packit Service dd8e2b 
\-t mangle \-A action \-m mark \-\-mark 11 \-j action3

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation