summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorManuel Messner <mm@skelett.io>2017-02-07 03:14:12 +0100
committerFlorian Westphal <fw@strlen.de>2017-02-12 15:34:47 +0100
commit864a1b44e1937a42753648644a812f70f9500a73 (patch)
tree97976d52c9d08746bd68d611be1c8443090475da /doc
parent9574c263569f477114d7885ebcf5af8af6411582 (diff)
src: add TCP option matching
This patch enables nft to match against TCP options. Currently these TCP options are supported: * End of Option List (eol) * No-Operation (noop) * Maximum Segment Size (maxseg) * Window Scale (window) * SACK Permitted (sack_permitted) * SACK (sack) * Timestamps (timestamp) Syntax: tcp options $option_name [$offset] $field_name Example: # count all incoming packets with a specific maximum segment size `x` # nft add rule filter input tcp option maxseg size x counter # count all incoming packets with a SACK TCP option where the third # (counted from zero) left field is greater `x`. # nft add rule filter input tcp option sack 2 left \> x counter If the offset (the `2` in the example above) is zero, it can optionally be omitted. For all non-SACK TCP options it is always zero, thus can be left out. Option names and field names are parsed from templates, similar to meta and ct options rather than via keywords to prevent adding more keywords than necessary. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'doc')
-rw-r--r--doc/nft.xml178
1 files changed, 173 insertions, 5 deletions
diff --git a/doc/nft.xml b/doc/nft.xml
index be729a89..28258104 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2363,14 +2363,182 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1
</table>
</para>
</refsect2>
- </refsect1>
- <refsect1>
- <title>bla</title>
<refsect2>
- <title>IPv6 extension header expressions</title>
+ <title>Extension header expressions</title>
+ <para>
+ Extension header expressions refer to data from variable-sized protocol headers, such as IPv6 extension headers and
+ TCPs options.
+ </para>
+ <para>
+ nftables currently supports matching (finding) a given ipv6 extension header or TCP option.
+ </para>
+ <cmdsynopsis>
+ <command>hbh</command>
+ <group choice="req">
+ <arg>nexthdr</arg>
+ <arg>hdrlength</arg>
+ </group>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>frag</command>
+ <group choice="req">
+ <arg>nexthdr</arg>
+ <arg>frag-off</arg>
+ <arg>more-fragments</arg>
+ <arg>id</arg>
+ </group>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>rt</command>
+ <group choice="req">
+ <arg>nexthdr</arg>
+ <arg>hdrlength</arg>
+ <arg>type</arg>
+ <arg>seg-left</arg>
+ </group>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>dst</command>
+ <group choice="req">
+ <arg>nexthdr</arg>
+ <arg>hdrlength</arg>
+ </group>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>mh</command>
+ <group choice="req">
+ <arg>nexthdr</arg>
+ <arg>hdrlength</arg>
+ <arg>checksum</arg>
+ <arg>type</arg>
+ </group>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>tcp option</command>
+ <group choice="req">
+ <arg>eol</arg>
+ <arg>noop</arg>
+ <arg>maxseg</arg>
+ <arg>window</arg>
+ <arg>sack_permitted</arg>
+ <arg>sack</arg>
+ <arg>timestamp</arg>
+ </group>
+ <arg><replaceable>offset</replaceable></arg>
+ <arg choice="none"><replaceable>tcp_option_field</replaceable></arg>
+ </cmdsynopsis>
+ <para>
+ <table frame="all">
+ <title>IPv6 extension headers</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>hbh</entry>
+ <entry>Hop by Hop</entry>
+ </row>
+ <row>
+ <entry>rt</entry>
+ <entry>Routing Header</entry>
+ </row>
+ <row>
+ <entry>frag</entry>
+ <entry>Fragmentation header</entry>
+ </row>
+ <row>
+ <entry>dst</entry>
+ <entry>dst options</entry>
+ </row>
+ <row>
+ <entry>mh</entry>
+ <entry>Mobility Header</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <table frame="all">
+ <title>TCP Options</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <colspec colname='c3'/>
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Description</entry>
+ <entry>TCP option fields</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>eol</entry>
+ <entry>End of option list</entry>
+ <entry>kind</entry>
+ </row>
+ <row>
+ <entry>noop</entry>
+ <entry>1 Byte TCP No-op options</entry>
+ <entry>kind</entry>
+ </row>
+ <row>
+ <entry>maxseg</entry>
+ <entry>TCP Maximum Segment Size</entry>
+ <entry>kind, length, size</entry>
+ </row>
+ <row>
+ <entry>window</entry>
+ <entry>TCP Window Scaling</entry>
+ <entry>kind, length, count</entry>
+ </row>
+ <row>
+ <entry>sack_permitted</entry>
+ <entry>TCP SACK permitted</entry>
+ <entry>kind, length</entry>
+ </row>
+ <row>
+ <entry>sack</entry>
+ <entry>TCP Selective Acknowledgement</entry>
+ <entry>kind, length, left, right</entry>
+ </row>
+ <row>
+ <entry>timestamp</entry>
+ <entry>TCP Timestamps</entry>
+ <entry>kind, length, tsval, tsecr</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+
+ <para>
+ The <replaceable>offset</replaceable> is only used for the SACK TCP option fields <command>left</command> and <command>right</command>.
+ For all non-SACK TCP options it is always zero.
+ <replaceable>Offsets</replaceable> which equals to zero can be omitted.
+ </para>
+
<para>
- IPv6 extension header expressions refer to data from an IPv6 packet's extension headers.
+ <example>
+ <title>finding TCP options</title>
+ <programlisting>
+filter input tcp option sack_permitted kind 1 counter
+ </programlisting>
+ </example>
+ <example>
+ <title>matching IPv6 exthdr</title>
+ <programlisting>
+ip6 filter input frag more-fragments 1 counter
+ </programlisting>
+ </example>
</para>
</refsect2>