From: Balazs Scheidler Date: Sat, 29 Aug 2020 07:04:03 +0000 (+0200) Subject: doc: added documentation on "socket wildcard" X-Git-Tag: v0.9.7~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de8d3f35148899343a7e75dce5bbdaeceaf765ab;p=thirdparty%2Fnftables.git doc: added documentation on "socket wildcard" Signed-off-by: Balazs Scheidler Signed-off-by: Pablo Neira Ayuso --- diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index a9c39cbb..e87e8cc2 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -195,7 +195,7 @@ raw prerouting meta ipsec exists accept SOCKET EXPRESSION ~~~~~~~~~~~~~~~~~ [verse] -*socket* {*transparent* | *mark*} +*socket* {*transparent* | *mark* | *wildcard*} Socket expression can be used to search for an existing open TCP/UDP socket and its attributes that can be associated with a packet. It looks for an established @@ -209,15 +209,20 @@ or non-zero bound listening socket (possibly with a non-local address). Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.| boolean (1 bit) |mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark +|wildcard| +Indicates whether the socket is wildcard-bound (e.g. 0.0.0.0 or ::0). | +boolean (1 bit) |================== .Using socket expression ------------------------ -# Mark packets that correspond to a transparent socket +# Mark packets that correspond to a transparent socket. "socket wildcard 0" +# means that zero-bound listener sockets are NOT matched (which is usually +# exactly what you want). table inet x { chain y { type filter hook prerouting priority -150; policy accept; - socket transparent 1 mark set 0x00000001 accept + socket transparent 1 socket wildcard 0 mark set 0x00000001 accept } }