1 This matches if an open TCP/UDP socket can be found by doing a socket lookup on the 2 packet. It matches if there is an established or non\-zero bound listening 3 socket (possibly with a non\-local address). The lookup is performed using 4 the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header 5 \fBembedded\fP in an ICMP/ICPMv6 error packet. 6 .TP 7 \fB\-\-transparent\fP 8 Ignore non-transparent sockets. 9 .TP 10 \fB\-\-nowildcard\fP 11 Do not ignore sockets bound to 'any' address. 12 The socket match won't accept zero\-bound listeners by default, since 13 then local services could intercept traffic that would otherwise be forwarded. 14 This option therefore has security implications when used to match traffic being 15 forwarded to redirect such packets to local machine with policy routing. 16 When using the socket match to implement fully transparent 17 proxies bound to non\-local addresses it is recommended to use the \-\-transparent 18 option instead. 19 .PP 20 Example (assuming packets with mark 1 are delivered locally): 21 .IP 22 \-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1 23 .TP 24 \fB\-\-restore\-skmark\fP 25 Set the packet mark to the matching socket's mark. Can be combined with the 26 \fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets 27 to be matched when restoring the packet mark. 28 .PP 29 Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and 30 sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets: 31 .IP 32 \-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action 33 .IP 34 \-t mangle \-A action \-m mark \-\-mark 10 \-j action2 35 .IP 36 \-t mangle \-A action \-m mark \-\-mark 11 \-j action3 37
