netfilter: iptables socket match

Add iptables 'socket' match, which matches packets for which a TCP/UDP
socket lookup succeeds.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ed1dcfb..f6c8072 100644 (file)
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -778,6 +778,21 @@ config NETFILTER_XT_MATCH_SCTP
          If you want to compile it as a module, say M here and read
          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
+config NETFILTER_XT_MATCH_SOCKET
+       tristate '"socket" match support (EXPERIMENTAL)'
+       depends on EXPERIMENTAL
+       depends on NETFILTER_TPROXY
+       depends on NETFILTER_XTABLES
+       depends on NETFILTER_ADVANCED
+       select NF_DEFRAG_IPV4
+       help
+         This option adds a `socket' match, which can be used to match
+         packets for which a TCP or UDP socket lookup finds a valid socket.
+         It can be used in combination with the MARK target and policy
+         routing to implement full featured non-locally bound sockets.
+
+         To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_STATE
        tristate '"state" match support'
        depends on NETFILTER_XTABLES

diff --cc net/netfilter/Makefile
Simple merge

diff --cc net/netfilter/xt_socket.c
Simple merge