diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/Makefile.am | 2 | ||||
| -rw-r--r-- | include/cache.h | 4 | ||||
| -rw-r--r-- | include/datatype.h | 2 | ||||
| -rw-r--r-- | include/erec.h | 5 | ||||
| -rw-r--r-- | include/expression.h | 9 | ||||
| -rw-r--r-- | include/intervals.h | 12 | ||||
| -rw-r--r-- | include/ipopt.h | 2 | ||||
| -rw-r--r-- | include/json.h | 4 | ||||
| -rw-r--r-- | include/mnl.h | 17 | ||||
| -rw-r--r-- | include/netlink.h | 4 | ||||
| -rw-r--r-- | include/nftables.h | 5 | ||||
| -rw-r--r-- | include/nftables/libnftables.h | 7 | ||||
| -rw-r--r-- | include/parser.h | 30 | ||||
| -rw-r--r-- | include/payload.h | 15 | ||||
| -rw-r--r-- | include/rbtree.h | 98 | ||||
| -rw-r--r-- | include/rule.h | 3 | ||||
| -rw-r--r-- | include/statement.h | 9 | ||||
| -rw-r--r-- | include/tcpopt.h | 13 |
18 files changed, 119 insertions, 122 deletions
diff --git a/include/Makefile.am b/include/Makefile.am index b997f46b..ff56dfe4 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -8,6 +8,7 @@ noinst_HEADERS = cli.h \ expression.h \ fib.h \ hash.h \ + intervals.h \ ipopt.h \ json.h \ mini-gmp.h \ @@ -16,7 +17,6 @@ noinst_HEADERS = cli.h \ mnl.h \ nftables.h \ payload.h \ - rbtree.h \ tcpopt.h \ statement.h \ ct.h \ diff --git a/include/cache.h b/include/cache.h index 3a9a5e81..b6c7d48b 100644 --- a/include/cache.h +++ b/include/cache.h @@ -54,6 +54,7 @@ struct nft_cache_filter { const char *table; const char *chain; const char *set; + const char *ft; } list; struct { @@ -133,4 +134,7 @@ struct nft_cache { uint32_t flags; }; +void nft_chain_cache_update(struct netlink_ctx *ctx, struct table *table, + const char *chain); + #endif /* _NFT_CACHE_H_ */ diff --git a/include/datatype.h b/include/datatype.h index f5bb9dc4..73f38f66 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -1,6 +1,7 @@ #ifndef NFTABLES_DATATYPE_H #define NFTABLES_DATATYPE_H +#include <stdbool.h> #include <json.h> /** @@ -176,6 +177,7 @@ extern const struct datatype *datatype_lookup_byname(const char *name); extern struct datatype *datatype_get(const struct datatype *dtype); extern void datatype_set(struct expr *expr, const struct datatype *dtype); extern void datatype_free(const struct datatype *dtype); +struct datatype *dtype_clone(const struct datatype *orig_dtype); struct parse_ctx { struct symbol_tables *tbl; diff --git a/include/erec.h b/include/erec.h index 79a16290..c17f5def 100644 --- a/include/erec.h +++ b/include/erec.h @@ -76,4 +76,9 @@ extern int __fmtstring(4, 5) __stmt_binary_error(struct eval_ctx *ctx, #define stmt_binary_error(ctx, s1, s2, fmt, args...) \ __stmt_binary_error(ctx, &(s1)->location, &(s2)->location, fmt, ## args) +void print_location(FILE *f, const struct input_descriptor *indesc, + const struct location *loc); +const char *line_location(const struct input_descriptor *indesc, + const struct location *loc, char *buf, size_t bufsiz); + #endif /* NFTABLES_EREC_H */ diff --git a/include/expression.h b/include/expression.h index 742fcdd7..2c3818e8 100644 --- a/include/expression.h +++ b/include/expression.h @@ -120,6 +120,7 @@ struct expr_ctx { enum byteorder byteorder; unsigned int len; unsigned int maxval; + const struct expr *key; }; static inline void __expr_set_context(struct expr_ctx *ctx, @@ -131,6 +132,7 @@ static inline void __expr_set_context(struct expr_ctx *ctx, ctx->byteorder = byteorder; ctx->len = len; ctx->maxval = maxval; + ctx->key = NULL; } static inline void expr_set_context(struct expr_ctx *ctx, @@ -190,6 +192,7 @@ const struct expr_ops *expr_ops_by_type(enum expr_types etype); * @EXPR_F_INTERVAL_END: set member ends an open interval * @EXPR_F_BOOLEAN: expression is boolean (set by relational expr on LHS) * @EXPR_F_INTERVAL: expression describes a interval + * @EXPR_F_KERNEL: expression resides in the kernel */ enum expr_flags { EXPR_F_CONSTANT = 0x1, @@ -198,6 +201,8 @@ enum expr_flags { EXPR_F_INTERVAL_END = 0x8, EXPR_F_BOOLEAN = 0x10, EXPR_F_INTERVAL = 0x20, + EXPR_F_KERNEL = 0x40, + EXPR_F_REMOVE = 0x80, }; #include <payload.h> @@ -482,10 +487,6 @@ extern struct expr *list_expr_alloc(const struct location *loc); extern struct expr *set_expr_alloc(const struct location *loc, const struct set *set); -extern int set_to_intervals(struct list_head *msgs, struct set *set, - struct expr *init, bool add, - unsigned int debug_mask, bool merge, - struct output_ctx *octx); extern void concat_range_aggregate(struct expr *set); extern void interval_map_decompose(struct expr *set); diff --git a/include/intervals.h b/include/intervals.h new file mode 100644 index 00000000..964804b1 --- /dev/null +++ b/include/intervals.h @@ -0,0 +1,12 @@ +#ifndef NFTABLES_INTERVALS_H +#define NFTABLES_INTERVALS_H + +void set_to_range(struct expr *init); +int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set, + struct expr *init, unsigned int debug_mask); +int set_delete(struct list_head *msgs, struct cmd *cmd, struct set *set, + struct expr *init, unsigned int debug_mask); +int set_overlap(struct list_head *msgs, struct set *set, struct expr *init); +int set_to_intervals(const struct set *set, struct expr *init, bool add); + +#endif diff --git a/include/ipopt.h b/include/ipopt.h index d8d48066..03420dc6 100644 --- a/include/ipopt.h +++ b/include/ipopt.h @@ -6,7 +6,7 @@ #include <statement.h> extern struct expr *ipopt_expr_alloc(const struct location *loc, - uint8_t type, uint8_t field, uint8_t ptr); + uint8_t type, uint8_t field); extern void ipopt_init_raw(struct expr *expr, uint8_t type, unsigned int offset, unsigned int len, diff --git a/include/json.h b/include/json.h index 3db9f278..b0d78eb8 100644 --- a/include/json.h +++ b/include/json.h @@ -69,6 +69,7 @@ json_t *uid_type_json(const struct expr *expr, struct output_ctx *octx); json_t *gid_type_json(const struct expr *expr, struct output_ctx *octx); json_t *expr_stmt_json(const struct stmt *stmt, struct output_ctx *octx); +json_t *flow_offload_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *payload_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *exthdr_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *quota_stmt_json(const struct stmt *stmt, struct output_ctx *octx); @@ -90,6 +91,7 @@ json_t *verdict_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *connlimit_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *tproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *synproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx); +json_t *optstrip_stmt_json(const struct stmt *stmt, struct output_ctx *octx); int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd); @@ -169,6 +171,7 @@ EXPR_PRINT_STUB(uid_type) EXPR_PRINT_STUB(gid_type) STMT_PRINT_STUB(expr) +STMT_PRINT_STUB(flow_offload) STMT_PRINT_STUB(payload) STMT_PRINT_STUB(exthdr) STMT_PRINT_STUB(quota) @@ -190,6 +193,7 @@ STMT_PRINT_STUB(verdict) STMT_PRINT_STUB(connlimit) STMT_PRINT_STUB(tproxy) STMT_PRINT_STUB(synproxy) +STMT_PRINT_STUB(optstrip) #undef STMT_PRINT_STUB #undef EXPR_PRINT_STUB diff --git a/include/mnl.h b/include/mnl.h index 68ec80cd..4c701d4e 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -33,8 +33,8 @@ int mnl_nft_rule_add(struct netlink_ctx *ctx, struct cmd *cmd, int mnl_nft_rule_del(struct netlink_ctx *ctx, struct cmd *cmd); int mnl_nft_rule_replace(struct netlink_ctx *ctx, struct cmd *cmd); -struct nftnl_rule_list *mnl_nft_rule_dump(struct netlink_ctx *ctx, - int family); +struct nftnl_rule_list *mnl_nft_rule_dump(struct netlink_ctx *ctx, int family, + const char *table, const char *chain); int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, unsigned int flags); @@ -43,25 +43,27 @@ int mnl_nft_chain_rename(struct netlink_ctx *ctx, const struct cmd *cmd, const struct chain *chain); struct nftnl_chain_list *mnl_nft_chain_dump(struct netlink_ctx *ctx, - int family); + int family, const char *table, + const char *chain); int mnl_nft_table_add(struct netlink_ctx *ctx, struct cmd *cmd, unsigned int flags); int mnl_nft_table_del(struct netlink_ctx *ctx, struct cmd *cmd); struct nftnl_table_list *mnl_nft_table_dump(struct netlink_ctx *ctx, - int family); + int family, const char *table); int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd, unsigned int flags); int mnl_nft_set_del(struct netlink_ctx *ctx, struct cmd *cmd); struct nftnl_set_list *mnl_nft_set_dump(struct netlink_ctx *ctx, int family, - const char *table); + const char *table, const char *set); int mnl_nft_setelem_add(struct netlink_ctx *ctx, const struct set *set, const struct expr *expr, unsigned int flags); -int mnl_nft_setelem_del(struct netlink_ctx *ctx, const struct cmd *cmd); +int mnl_nft_setelem_del(struct netlink_ctx *ctx, const struct handle *h, + const struct expr *init); int mnl_nft_setelem_flush(struct netlink_ctx *ctx, const struct cmd *cmd); int mnl_nft_setelem_get(struct netlink_ctx *ctx, struct nftnl_set *nls); struct nftnl_set *mnl_nft_setelem_get_one(struct netlink_ctx *ctx, @@ -76,7 +78,8 @@ int mnl_nft_obj_add(struct netlink_ctx *ctx, struct cmd *cmd, int mnl_nft_obj_del(struct netlink_ctx *ctx, struct cmd *cmd, int type); struct nftnl_flowtable_list * -mnl_nft_flowtable_dump(struct netlink_ctx *ctx, int family, const char *table); +mnl_nft_flowtable_dump(struct netlink_ctx *ctx, int family, + const char *table, const char *ft); int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd, unsigned int flags); diff --git a/include/netlink.h b/include/netlink.h index a692edcd..e8e0f68a 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -39,6 +39,7 @@ struct netlink_parse_ctx { struct stmt *stmt; struct expr *registers[MAX_REGS + 1]; unsigned int debug_mask; + struct netlink_ctx *nlctx; }; struct rule_pp_ctx { @@ -135,7 +136,8 @@ extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h); extern struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, const struct nftnl_chain *nlc); -extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h); +extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, + const struct nft_cache_filter *filter); extern struct table *netlink_delinearize_table(struct netlink_ctx *ctx, const struct nftnl_table *nlt); diff --git a/include/nftables.h b/include/nftables.h index 7b633905..d49eb579 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -123,11 +123,13 @@ struct nft_ctx { bool check; struct nft_cache cache; uint32_t flags; + uint32_t optimize_flags; struct parser_state *state; void *scanner; struct scope *top_scope; void *json_root; json_t *json_echo; + const char *stdin_buf; }; enum nftables_exit_codes { @@ -175,6 +177,7 @@ enum input_descriptor_types { INDESC_FILE, INDESC_CLI, INDESC_NETLINK, + INDESC_STDIN, }; /** @@ -222,6 +225,8 @@ int nft_print(struct output_ctx *octx, const char *fmt, ...) int nft_gmp_print(struct output_ctx *octx, const char *fmt, ...) __attribute__((format(printf, 2, 0))); +int nft_optimize(struct nft_ctx *nft, struct list_head *cmds); + #define __NFT_OUTPUT_NOTSUPP UINT_MAX #endif /* NFTABLES_NFTABLES_H */ diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h index 957b5fbe..85e08c9b 100644 --- a/include/nftables/libnftables.h +++ b/include/nftables/libnftables.h @@ -41,6 +41,13 @@ void nft_ctx_free(struct nft_ctx *ctx); bool nft_ctx_get_dry_run(struct nft_ctx *ctx); void nft_ctx_set_dry_run(struct nft_ctx *ctx, bool dry); +enum nft_optimize_flags { + NFT_OPTIMIZE_ENABLED = 0x1, +}; + +uint32_t nft_ctx_get_optimize(struct nft_ctx *ctx); +void nft_ctx_set_optimize(struct nft_ctx *ctx, uint32_t flags); + enum { NFT_CTX_OUTPUT_REVERSEDNS = (1 << 0), NFT_CTX_OUTPUT_SERVICE = (1 << 1), diff --git a/include/parser.h b/include/parser.h index e8635b4c..f32154cc 100644 --- a/include/parser.h +++ b/include/parser.h @@ -31,27 +31,57 @@ struct parser_state { enum startcond_type { PARSER_SC_BEGIN, PARSER_SC_ARP, + PARSER_SC_AT, PARSER_SC_CT, PARSER_SC_COUNTER, PARSER_SC_ETH, + PARSER_SC_FLAGS, + PARSER_SC_ICMP, + PARSER_SC_IGMP, PARSER_SC_IP, PARSER_SC_IP6, PARSER_SC_LIMIT, + PARSER_SC_META, + PARSER_SC_POLICY, PARSER_SC_QUOTA, PARSER_SC_SCTP, PARSER_SC_SECMARK, + PARSER_SC_TCP, + PARSER_SC_TYPE, PARSER_SC_VLAN, + PARSER_SC_CMD_EXPORT, + PARSER_SC_CMD_IMPORT, PARSER_SC_CMD_LIST, + PARSER_SC_CMD_MONITOR, + PARSER_SC_CMD_RESET, + PARSER_SC_EXPR_AH, + PARSER_SC_EXPR_COMP, + PARSER_SC_EXPR_DCCP, + PARSER_SC_EXPR_DST, + PARSER_SC_EXPR_ESP, PARSER_SC_EXPR_FIB, + PARSER_SC_EXPR_FRAG, PARSER_SC_EXPR_HASH, + PARSER_SC_EXPR_HBH, PARSER_SC_EXPR_IPSEC, + PARSER_SC_EXPR_MH, PARSER_SC_EXPR_NUMGEN, + PARSER_SC_EXPR_OSF, PARSER_SC_EXPR_QUEUE, PARSER_SC_EXPR_RT, PARSER_SC_EXPR_SCTP_CHUNK, PARSER_SC_EXPR_SOCKET, + PARSER_SC_EXPR_TH, + PARSER_SC_EXPR_UDP, + PARSER_SC_EXPR_UDPLITE, + PARSER_SC_STMT_DUP, + PARSER_SC_STMT_FWD, PARSER_SC_STMT_LOG, + PARSER_SC_STMT_NAT, + PARSER_SC_STMT_REJECT, + PARSER_SC_STMT_SYNPROXY, + PARSER_SC_STMT_TPROXY, }; struct mnl_socket; diff --git a/include/payload.h b/include/payload.h index 8bc3fb9a..37869928 100644 --- a/include/payload.h +++ b/include/payload.h @@ -25,16 +25,14 @@ extern int exthdr_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, /** * struct payload_dep_ctx - payload protocol dependency tracking * - * @pbase: protocol base of last dependency match * @icmp_type: extra info for icmp(6) decoding - * @pdep: last dependency match * @prev: previous statement + * @pdeps: last dependency match per protocol layer */ struct payload_dep_ctx { - enum proto_bases pbase:8; - uint8_t icmp_type; - struct stmt *pdep; - struct stmt *prev; + uint8_t icmp_type; + struct stmt *prev; + struct stmt *pdeps[PROTO_BASE_MAX + 1]; }; extern bool payload_is_known(const struct expr *expr); @@ -47,7 +45,10 @@ extern void payload_dependency_store(struct payload_dep_ctx *ctx, enum proto_bases base); extern bool payload_dependency_exists(const struct payload_dep_ctx *ctx, enum proto_bases base); -extern void payload_dependency_release(struct payload_dep_ctx *ctx); +extern struct expr *payload_dependency_get(struct payload_dep_ctx *ctx, + enum proto_bases base); +extern void payload_dependency_release(struct payload_dep_ctx *ctx, + enum proto_bases base); extern void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, unsigned int family); extern void exthdr_dependency_kill(struct payload_dep_ctx *ctx, diff --git a/include/rbtree.h b/include/rbtree.h deleted file mode 100644 index ac65283f..00000000 --- a/include/rbtree.h +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Red Black Trees - * (C) 1999 Andrea Arcangeli <andrea@suse.de> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - */ - -#ifndef NFTABLES_RBTREE_H -#define NFTABLES_RBTREE_H - -#include <stddef.h> - -struct rb_node -{ - unsigned long rb_parent_color; -#define RB_RED 0 -#define RB_BLACK 1 - struct rb_node *rb_right; - struct rb_node *rb_left; -}; - -struct rb_root -{ - struct rb_node *rb_node; -}; - -#define rb_parent(r) ((struct rb_node *)((r)->rb_parent_color & ~3)) -#define rb_color(r) ((r)->rb_parent_color & 1) -#define rb_is_red(r) (!rb_color(r)) -#define rb_is_black(r) rb_color(r) -#define rb_set_red(r) do { (r)->rb_parent_color &= ~1; } while (0) -#define rb_set_black(r) do { (r)->rb_parent_color |= 1; } while (0) - -static inline void rb_set_parent(struct rb_node *rb, struct rb_node *p) -{ - rb->rb_parent_color = (rb->rb_parent_color & 3) | (unsigned long)p; -} -static inline void rb_set_color(struct rb_node *rb, int color) -{ - rb->rb_parent_color = (rb->rb_parent_color & ~1) | color; -} - -#define RB_ROOT (struct rb_root) { NULL, } -#define rb_entry(ptr, type, member) container_of(ptr, type, member) - -#define RB_EMPTY_ROOT(root) ((root)->rb_node == NULL) -#define RB_EMPTY_NODE(node) (rb_parent(node) == node) -#define RB_CLEAR_NODE(node) (rb_set_parent(node, node)) - -extern void rb_insert_color(struct rb_node *, struct rb_root *); -extern void rb_erase(struct rb_node *, struct rb_root *); - -/* Find logical next and previous nodes in a tree */ -extern struct rb_node *rb_next(struct rb_node *); -extern struct rb_node *rb_prev(struct rb_node *); -extern struct rb_node *rb_first(struct rb_root *); -extern struct rb_node *rb_last(struct rb_root *); - -/* Fast replacement of a single node without remove/rebalance/add/rebalance */ -extern void rb_replace_node(struct rb_node *victim, struct rb_node *new, - struct rb_root *root); - -static inline void rb_link_node(struct rb_node * node, struct rb_node * parent, - struct rb_node ** rb_link) -{ - node->rb_parent_color = (unsigned long )parent; - node->rb_left = node->rb_right = NULL; - - *rb_link = node; -} - -#define rb_for_each_entry(pos, root, member) \ - for ((pos) = (root)->rb_node ? \ - rb_entry(rb_first(root), typeof(*pos), member) : NULL; \ - (pos) != NULL; \ - (pos) = rb_entry(rb_next(&(pos)->member), typeof(*pos), member)) - -#define rb_for_each_entry_safe(pos, node, next, root, member) \ - for ((node) = rb_first(root); \ - (pos) = (node) ? rb_entry((node), typeof(*pos), member) : NULL, \ - (next) = (node) ? rb_next(node) : NULL, \ - (pos) != NULL; \ - (node) = (next)) - -#endif /* NFTABLES_RBTREE_H */ diff --git a/include/rule.h b/include/rule.h index be316956..e232b97a 100644 --- a/include/rule.h +++ b/include/rule.h @@ -311,7 +311,6 @@ void rule_stmt_append(struct rule *rule, struct stmt *stmt); void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt, struct stmt *stmt); - /** * struct set - nftables set * @@ -325,6 +324,7 @@ void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt, * @key: key expression (data type, length)) * @data: mapping data expression * @objtype: mapping object type + * @existing_set: reference to existing set in the kernel * @init: initializer * @rg_cache: cached range element (left) * @policy: set mechanism policy @@ -346,6 +346,7 @@ struct set { struct expr *key; struct expr *data; uint32_t objtype; + struct set *existing_set; struct expr *init; struct expr *rg_cache; uint32_t policy; diff --git a/include/statement.h b/include/statement.h index 06221040..2a2d3001 100644 --- a/include/statement.h +++ b/include/statement.h @@ -145,6 +145,12 @@ struct nat_stmt { extern struct stmt *nat_stmt_alloc(const struct location *loc, enum nft_nat_etypes type); +struct optstrip_stmt { + struct expr *expr; +}; + +extern struct stmt *optstrip_stmt_alloc(const struct location *loc, struct expr *e); + struct tproxy_stmt { struct expr *addr; struct expr *port; @@ -297,6 +303,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc); * @STMT_MAP: map statement * @STMT_SYNPROXY: synproxy statement * @STMT_CHAIN: chain statement + * @STMT_OPTSTRIP: optstrip statement */ enum stmt_types { STMT_INVALID, @@ -326,6 +333,7 @@ enum stmt_types { STMT_MAP, STMT_SYNPROXY, STMT_CHAIN, + STMT_OPTSTRIP, }; /** @@ -380,6 +388,7 @@ struct stmt { struct reject_stmt reject; struct nat_stmt nat; struct tproxy_stmt tproxy; + struct optstrip_stmt optstrip; struct queue_stmt queue; struct quota_stmt quota; struct ct_stmt ct; diff --git a/include/tcpopt.h b/include/tcpopt.h index 667c8a77..3a0b8424 100644 --- a/include/tcpopt.h +++ b/include/tcpopt.h @@ -12,8 +12,8 @@ extern void tcpopt_init_raw(struct expr *expr, uint8_t type, unsigned int offset, unsigned int len, uint32_t flags); -extern bool tcpopt_find_template(struct expr *expr, const struct expr *mask, - unsigned int *shift); +extern bool tcpopt_find_template(struct expr *expr, unsigned int offset, + unsigned int len); /* TCP option numbers used on wire */ enum tcpopt_kind { @@ -25,6 +25,9 @@ enum tcpopt_kind { TCPOPT_KIND_SACK = 5, TCPOPT_KIND_TIMESTAMP = 8, TCPOPT_KIND_ECHO = 8, + TCPOPT_KIND_MD5SIG = 19, + TCPOPT_KIND_MPTCP = 30, + TCPOPT_KIND_FASTOPEN = 34, __TCPOPT_KIND_MAX, /* extra oob info, internal to nft */ @@ -71,6 +74,12 @@ enum tcpopt_hdr_field_sack { TCPOPT_SACK_RIGHT3, }; +enum tcpopt_hdr_mptcp_common { + TCPOPT_MPTCP_KIND, + TCPOPT_MPTCP_LENGTH, + TCPOPT_MPTCP_SUBTYPE, +}; + extern const struct exthdr_desc *tcpopt_protocols[__TCPOPT_KIND_MAX]; #endif /* NFTABLES_TCPOPT_H */ |