diff options
author | Jeremy Sowden <jeremy@azazel.net> | 2023-04-11 21:45:34 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-06-01 21:43:16 +0200 |
commit | 6ab0fd6c67dbccedb49209b94eb7f740dd32fd2a (patch) | |
tree | 8f376a718fd3c1bc28577a6fb00ec5c3ccdf9133 /src/exthdr.c | |
parent | 19245dd1e0c8e1e007a3b98527e379337d57b49a (diff) |
exthdr: add boolean DCCP option matching
Iptables supports the matching of DCCP packets based on the presence
or absence of DCCP options. Extend exthdr expressions to add this
functionality to nftables.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=930
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/exthdr.c')
-rw-r--r-- | src/exthdr.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/exthdr.c b/src/exthdr.c index 3e5f5cd8..d0274bea 100644 --- a/src/exthdr.c +++ b/src/exthdr.c @@ -84,6 +84,9 @@ static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx) if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) return; nft_print(octx, " %s", expr->exthdr.tmpl->token); + } else if (expr->exthdr.op == NFT_EXTHDR_OP_DCCP) { + nft_print(octx, "dccp option %d", expr->exthdr.raw_type); + return; } else { if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) nft_print(octx, "exthdr %s", name); @@ -177,6 +180,8 @@ static struct expr *exthdr_expr_parse_udata(const struct nftnl_udata *attr) case NFT_EXTHDR_OP_SCTP: return sctp_chunk_expr_alloc(&internal_location, desc_id, type); + case NFT_EXTHDR_OP_DCCP: + return dccpopt_expr_alloc(&internal_location, type); case __NFT_EXTHDR_OP_MAX: return NULL; } @@ -206,6 +211,7 @@ static int exthdr_expr_build_udata(struct nftnl_udata_buf *udbuf, case NFT_EXTHDR_OP_TCPOPT: case NFT_EXTHDR_OP_IPV4: case NFT_EXTHDR_OP_SCTP: + case NFT_EXTHDR_OP_DCCP: nftnl_udata_put_u32(udbuf, NFTNL_UDATA_EXTHDR_OP, op); nftnl_udata_put_u32(udbuf, NFTNL_UDATA_EXTHDR_DESC, expr->exthdr.raw_type); break; @@ -332,6 +338,8 @@ void exthdr_init_raw(struct expr *expr, uint8_t type, return ipopt_init_raw(expr, type, offset, len, flags, true); if (op == NFT_EXTHDR_OP_SCTP) return sctp_chunk_init_raw(expr, type, offset, len, flags); + if (op == NFT_EXTHDR_OP_DCCP) + return dccpopt_init_raw(expr, type, offset, len); expr->len = len; expr->exthdr.flags = flags; |