netfilter: nft_socket: Expose socket mark

Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 89438e6..f466860 100644 (file)
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -921,10 +921,12 @@ enum nft_socket_attributes {
 /*
  * enum nft_socket_keys - nf_tables socket expression keys
  *
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
  */
 enum nft_socket_keys {
        NFT_SOCKET_TRANSPARENT,
+       NFT_SOCKET_MARK,
        __NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)

diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 622ac20..d7f3776 100644 (file)
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -54,6 +54,14 @@ static void nft_socket_eval(const struct nft_expr *expr,
        case NFT_SOCKET_TRANSPARENT:
                nft_reg_store8(dest, inet_sk_transparent(sk));
                break;
+       case NFT_SOCKET_MARK:
+               if (sk_fullsock(sk)) {
+                       *dest = sk->sk_mark;
+               } else {
+                       regs->verdict.code = NFT_BREAK;
+                       return;
+               }
+               break;
        default:
                WARN_ON(1);
                regs->verdict.code = NFT_BREAK;
@@ -91,6 +99,9 @@ static int nft_socket_init(const struct nft_ctx *ctx,
        case NFT_SOCKET_TRANSPARENT:
                len = sizeof(u8);
                break;
+       case NFT_SOCKET_MARK:
+               len = sizeof(u32);
+               break;
        default:
                return -EOPNOTSUPP;
        }