diff options
| author | Fernando Fernandez Mancera <ffmancera@riseup.net> | 2019-06-22 19:12:08 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-07-17 10:22:39 +0200 |
| commit | 1188a69604c3df2a63daca9e735fdb535e8f6b63 (patch) | |
| tree | 21887d78f5b30023546f40da96aaa4cf256a59e5 /src/parser_bison.y | |
| parent | 82cc676289803cfd1e69dfeaa4658d57a1547a86 (diff) | |
src: introduce SYNPROXY matching
Add support for "synproxy" statement. For example (for TCP port 8888):
table ip x {
chain y {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain z {
type filter hook input priority filter; policy accept;
tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
ct state invalid drop
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
| -rw-r--r-- | src/parser_bison.y | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index c7591bc2..53e66952 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -23,6 +23,7 @@ #include <linux/netfilter/nf_nat.h> #include <linux/netfilter/nf_log.h> #include <linux/netfilter/nfnetlink_osf.h> +#include <linux/netfilter/nf_synproxy.h> #include <linux/xfrm.h> #include <netinet/ip_icmp.h> #include <netinet/icmp6.h> @@ -200,6 +201,11 @@ int nft_lex(void *, void *, void *); %token OSF "osf" +%token SYNPROXY "synproxy" +%token MSS "mss" +%token WSCALE "wscale" +%token SACKPERM "sack-perm" + %token HOOK "hook" %token DEVICE "device" %token DEVICES "devices" @@ -611,6 +617,9 @@ int nft_lex(void *, void *, void *); %type <val> nf_nat_flags nf_nat_flag offset_opt %type <stmt> tproxy_stmt %destructor { stmt_free($$); } tproxy_stmt +%type <stmt> synproxy_stmt synproxy_stmt_alloc +%destructor { stmt_free($$); } synproxy_stmt synproxy_stmt_alloc + %type <stmt> queue_stmt queue_stmt_alloc %destructor { stmt_free($$); } queue_stmt queue_stmt_alloc @@ -2289,6 +2298,7 @@ stmt : verdict_stmt | fwd_stmt | set_stmt | map_stmt + | synproxy_stmt ; verdict_stmt : verdict_expr @@ -2719,6 +2729,43 @@ tproxy_stmt : TPROXY TO stmt_expr } ; +synproxy_stmt : synproxy_stmt_alloc + | synproxy_stmt_alloc synproxy_args + ; + +synproxy_stmt_alloc : SYNPROXY + { + $$ = synproxy_stmt_alloc(&@$); + } + ; + +synproxy_args : synproxy_arg + { + $<stmt>$ = $<stmt>0; + } + | synproxy_args synproxy_arg + ; + +synproxy_arg : MSS NUM + { + $<stmt>0->synproxy.mss = $2; + $<stmt>0->synproxy.flags |= NF_SYNPROXY_OPT_MSS; + } + | WSCALE NUM + { + $<stmt>0->synproxy.wscale = $2; + $<stmt>0->synproxy.flags |= NF_SYNPROXY_OPT_WSCALE; + } + | TIMESTAMP + { + $<stmt>0->synproxy.flags |= NF_SYNPROXY_OPT_TIMESTAMP; + } + | SACKPERM + { + $<stmt>0->synproxy.flags |= NF_SYNPROXY_OPT_SACK_PERM; + } + ; + primary_stmt_expr : symbol_expr { $$ = $1; } | integer_expr { $$ = $1; } | boolean_expr { $$ = $1; } |