diff options
author | Manuel Messner <mm@skelett.io> | 2017-02-07 03:14:12 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2017-02-12 15:34:47 +0100 |
commit | 864a1b44e1937a42753648644a812f70f9500a73 (patch) | |
tree | 97976d52c9d08746bd68d611be1c8443090475da /include | |
parent | 9574c263569f477114d7885ebcf5af8af6411582 (diff) |
src: add TCP option matching
This patch enables nft to match against TCP options.
Currently these TCP options are supported:
* End of Option List (eol)
* No-Operation (noop)
* Maximum Segment Size (maxseg)
* Window Scale (window)
* SACK Permitted (sack_permitted)
* SACK (sack)
* Timestamps (timestamp)
Syntax: tcp options $option_name [$offset] $field_name
Example:
# count all incoming packets with a specific maximum segment size `x`
# nft add rule filter input tcp option maxseg size x counter
# count all incoming packets with a SACK TCP option where the third
# (counted from zero) left field is greater `x`.
# nft add rule filter input tcp option sack 2 left \> x counter
If the offset (the `2` in the example above) is zero, it can optionally
be omitted.
For all non-SACK TCP options it is always zero, thus can be left out.
Option names and field names are parsed from templates, similar to meta
and ct options rather than via keywords to prevent adding more keywords
than necessary.
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include')
-rw-r--r-- | include/expression.h | 1 | ||||
-rw-r--r-- | include/exthdr.h | 2 | ||||
-rw-r--r-- | include/tcpopt.h | 26 |
3 files changed, 29 insertions, 0 deletions
diff --git a/include/expression.h b/include/expression.h index ec90265b..83ecf111 100644 --- a/include/expression.h +++ b/include/expression.h @@ -281,6 +281,7 @@ struct expr { const struct exthdr_desc *desc; const struct proto_hdr_template *tmpl; unsigned int offset; + enum nft_exthdr_op op; } exthdr; struct { /* EXPR_META */ diff --git a/include/exthdr.h b/include/exthdr.h index 93a53f30..cdcc2b95 100644 --- a/include/exthdr.h +++ b/include/exthdr.h @@ -2,6 +2,7 @@ #define NFTABLES_EXTHDR_H #include <proto.h> +#include <tcpopt.h> /** * struct exthdr_desc - extension header description @@ -78,6 +79,7 @@ enum mh_hdr_fields { MHHDR_CHECKSUM, }; +extern const struct expr_ops exthdr_expr_ops; extern const struct exthdr_desc exthdr_hbh; extern const struct exthdr_desc exthdr_rt; extern const struct exthdr_desc exthdr_rt0; diff --git a/include/tcpopt.h b/include/tcpopt.h new file mode 100644 index 00000000..5b990083 --- /dev/null +++ b/include/tcpopt.h @@ -0,0 +1,26 @@ +#ifndef NFTABLES_TCPOPT_H +#define NFTABLES_TCPOPT_H + +#include <proto.h> +#include <exthdr.h> + +extern struct expr *tcpopt_expr_alloc(const struct location *loc, + const char *option_str, + const unsigned int option_num, + const char *optioni_field); + +extern void tcpopt_init_raw(struct expr *expr, uint8_t type, + unsigned int offset, unsigned int len); + +extern bool tcpopt_find_template(struct expr *expr, const struct expr *mask, + unsigned int *shift); + +extern const struct exthdr_desc tcpopt_eol; +extern const struct exthdr_desc tcpopt_nop; +extern const struct exthdr_desc tcpopt_maxseg; +extern const struct exthdr_desc tcpopt_window; +extern const struct exthdr_desc tcpopt_sack_permitted; +extern const struct exthdr_desc tcpopt_sack; +extern const struct exthdr_desc tcpopt_timestamp; + +#endif /* NFTABLES_TCPOPT_H */ |