| This matches if an open TCP/UDP socket can be found by doing a socket lookup on the |
| packet. It matches if there is an established or non\-zero bound listening |
| socket (possibly with a non\-local address). The lookup is performed using |
| the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header |
| \fBembedded\fP in an ICMP/ICPMv6 error packet. |
| .TP |
| \fB\-\-transparent\fP |
| Ignore non-transparent sockets. |
| .TP |
| \fB\-\-nowildcard\fP |
| Do not ignore sockets bound to 'any' address. |
| The socket match won't accept zero\-bound listeners by default, since |
| then local services could intercept traffic that would otherwise be forwarded. |
| This option therefore has security implications when used to match traffic being |
| forwarded to redirect such packets to local machine with policy routing. |
| When using the socket match to implement fully transparent |
| proxies bound to non\-local addresses it is recommended to use the \-\-transparent |
| option instead. |
| .PP |
| Example (assuming packets with mark 1 are delivered locally): |
| .IP |
| \-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1 |
| .TP |
| \fB\-\-restore\-skmark\fP |
| Set the packet mark to the matching socket's mark. Can be combined with the |
| \fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets |
| to be matched when restoring the packet mark. |
| .PP |
| Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and |
| sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets: |
| .IP |
| \-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action |
| .IP |
| \-t mangle \-A action \-m mark \-\-mark 10 \-j action2 |
| .IP |
| \-t mangle \-A action \-m mark \-\-mark 11 \-j action3 |