summaryrefslogtreecommitdiffstats
path: root/include/tcpopt.h
Commit message (Collapse)AuthorAgeFilesLines
* libnftables: Make some arrays globally accessiblePhil Sutter2018-05-111-0/+4
| | | | | | | | | | | | | | | This removes static flag and adds declarations in headers for the following arrays: * ct_templates from src/ct.c * mark_tbl from src/datatype.c * meta_templates and devgroup_tbl from src/meta.c * table_flags_name from src/rule.c * set_stmt_op_names from src/statement.c * tcpopthdr_protocols from src/tcpopt.c Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add tcp options set supportFlorian Westphal2017-08-221-0/+1
| | | | | | | | | | | | This adds support for tcp mss mangling: nft add rule filter input tcp option maxseg size 1200 Its also possible to change other tcp option fields, but maxseg is one of the more useful ones to change. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tcpopt: make tcptopt structs staticFlorian Westphal2017-07-131-9/+0
| | | | | | | not used outside of tcpopt.c, so unexport from header file and make them static. Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: Add support for exthdr specific flagsPhil Sutter2017-03-101-1/+2
| | | | | | | | | This allows to have custom flags in exthdr expression, which is necessary for upcoming existence checks (of both IPv6 extension headers as well as TCP options). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revisit tcp options supportPablo Neira Ayuso2017-02-281-3/+29
| | | | | | | | | | | | | | | | | | | Rework syntax, add tokens so we can extend the grammar more easily. This has triggered several syntax changes with regards to the original patch, specifically: tcp option sack0 left 1 There is no space between sack and the block number anymore, no more offset field, now they are a single field. Just like we do with rt, rt0 and rt2. This simplifies our grammar and that is good since it makes our life easier when extending it later on to accomodate new features. I have also renamed sack_permitted to sack-permitted. I couldn't find any option using underscore so far, so let's keep it consistent with what we have. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matchingManuel Messner2017-02-121-0/+26
This patch enables nft to match against TCP options. Currently these TCP options are supported: * End of Option List (eol) * No-Operation (noop) * Maximum Segment Size (maxseg) * Window Scale (window) * SACK Permitted (sack_permitted) * SACK (sack) * Timestamps (timestamp) Syntax: tcp options $option_name [$offset] $field_name Example: # count all incoming packets with a specific maximum segment size `x` # nft add rule filter input tcp option maxseg size x counter # count all incoming packets with a SACK TCP option where the third # (counted from zero) left field is greater `x`. # nft add rule filter input tcp option sack 2 left \> x counter If the offset (the `2` in the example above) is zero, it can optionally be omitted. For all non-SACK TCP options it is always zero, thus can be left out. Option names and field names are parsed from templates, similar to meta and ct options rather than via keywords to prevent adding more keywords than necessary. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
generated by cgit v1.2.3 (git 2.25.0) at 2024-11-12 18:19:06 +0000