netfilter: nft_socket: Expose socket mark
authorMáté Eckl <ecklm94@gmail.com>
Thu, 12 Jul 2018 15:48:06 +0000 (17:48 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 18 Jul 2018 09:26:52 +0000 (11:26 +0200)
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/uapi/linux/netfilter/nf_tables.h
net/netfilter/nft_socket.c

index 89438e6..f466860 100644 (file)
@@ -921,10 +921,12 @@ enum nft_socket_attributes {
 /*
  * enum nft_socket_keys - nf_tables socket expression keys
  *
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
  */
 enum nft_socket_keys {
        NFT_SOCKET_TRANSPARENT,
+       NFT_SOCKET_MARK,
        __NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
index 622ac20..d7f3776 100644 (file)
@@ -54,6 +54,14 @@ static void nft_socket_eval(const struct nft_expr *expr,
        case NFT_SOCKET_TRANSPARENT:
                nft_reg_store8(dest, inet_sk_transparent(sk));
                break;
+       case NFT_SOCKET_MARK:
+               if (sk_fullsock(sk)) {
+                       *dest = sk->sk_mark;
+               } else {
+                       regs->verdict.code = NFT_BREAK;
+                       return;
+               }
+               break;
        default:
                WARN_ON(1);
                regs->verdict.code = NFT_BREAK;
@@ -91,6 +99,9 @@ static int nft_socket_init(const struct nft_ctx *ctx,
        case NFT_SOCKET_TRANSPARENT:
                len = sizeof(u8);
                break;
+       case NFT_SOCKET_MARK:
+               len = sizeof(u32);
+               break;
        default:
                return -EOPNOTSUPP;
        }