1*a71a9546SAutomerger Merge WorkerThis matches if an open TCP/UDP socket can be found by doing a socket lookup on the 2*a71a9546SAutomerger Merge Workerpacket. It matches if there is an established or non\-zero bound listening 3*a71a9546SAutomerger Merge Workersocket (possibly with a non\-local address). The lookup is performed using 4*a71a9546SAutomerger Merge Workerthe \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header 5*a71a9546SAutomerger Merge Worker\fBembedded\fP in an ICMP/ICPMv6 error packet. 6*a71a9546SAutomerger Merge Worker.TP 7*a71a9546SAutomerger Merge Worker\fB\-\-transparent\fP 8*a71a9546SAutomerger Merge WorkerIgnore non-transparent sockets. 9*a71a9546SAutomerger Merge Worker.TP 10*a71a9546SAutomerger Merge Worker\fB\-\-nowildcard\fP 11*a71a9546SAutomerger Merge WorkerDo not ignore sockets bound to 'any' address. 12*a71a9546SAutomerger Merge WorkerThe socket match won't accept zero\-bound listeners by default, since 13*a71a9546SAutomerger Merge Workerthen local services could intercept traffic that would otherwise be forwarded. 14*a71a9546SAutomerger Merge WorkerThis option therefore has security implications when used to match traffic being 15*a71a9546SAutomerger Merge Workerforwarded to redirect such packets to local machine with policy routing. 16*a71a9546SAutomerger Merge WorkerWhen using the socket match to implement fully transparent 17*a71a9546SAutomerger Merge Workerproxies bound to non\-local addresses it is recommended to use the \-\-transparent 18*a71a9546SAutomerger Merge Workeroption instead. 19*a71a9546SAutomerger Merge Worker.PP 20*a71a9546SAutomerger Merge WorkerExample (assuming packets with mark 1 are delivered locally): 21*a71a9546SAutomerger Merge Worker.IP 22*a71a9546SAutomerger Merge Worker\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1 23*a71a9546SAutomerger Merge Worker.TP 24*a71a9546SAutomerger Merge Worker\fB\-\-restore\-skmark\fP 25*a71a9546SAutomerger Merge WorkerSet the packet mark to the matching socket's mark. Can be combined with the 26*a71a9546SAutomerger Merge Worker\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets 27*a71a9546SAutomerger Merge Workerto be matched when restoring the packet mark. 28*a71a9546SAutomerger Merge Worker.PP 29*a71a9546SAutomerger Merge WorkerExample: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and 30*a71a9546SAutomerger Merge Workersets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets: 31*a71a9546SAutomerger Merge Worker.IP 32*a71a9546SAutomerger Merge Worker\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action 33*a71a9546SAutomerger Merge Worker.IP 34*a71a9546SAutomerger Merge Worker\-t mangle \-A action \-m mark \-\-mark 10 \-j action2 35*a71a9546SAutomerger Merge Worker.IP 36*a71a9546SAutomerger Merge Worker\-t mangle \-A action \-m mark \-\-mark 11 \-j action3 37