1This matches if an open TCP/UDP socket can be found by doing a socket lookup on the 2packet. It matches if there is an established or non\-zero bound listening 3socket (possibly with a non\-local address). The lookup is performed using 4the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header 5\fBembedded\fP in an ICMP/ICPMv6 error packet. 6.TP 7\fB\-\-transparent\fP 8Ignore non-transparent sockets. 9.TP 10\fB\-\-nowildcard\fP 11Do not ignore sockets bound to 'any' address. 12The socket match won't accept zero\-bound listeners by default, since 13then local services could intercept traffic that would otherwise be forwarded. 14This option therefore has security implications when used to match traffic being 15forwarded to redirect such packets to local machine with policy routing. 16When using the socket match to implement fully transparent 17proxies bound to non\-local addresses it is recommended to use the \-\-transparent 18option instead. 19.PP 20Example (assuming packets with mark 1 are delivered locally): 21.IP 22\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1 23.TP 24\fB\-\-restore\-skmark\fP 25Set the packet mark to the matching socket's mark. Can be combined with the 26\fB\-\-transparent\fP and \fB\-\-nowildcard\fP options to restrict the sockets 27to be matched when restoring the packet mark. 28.PP 29Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and 30sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets: 31.IP 32\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action 33.IP 34\-t mangle \-A action \-m mark \-\-mark 10 \-j action2 35.IP 36\-t mangle \-A action \-m mark \-\-mark 11 \-j action3 37