diff options
| author | Florian Westphal <fw@strlen.de> | 2022-01-25 17:52:55 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2022-01-29 13:33:36 +0100 |
| commit | 250dce876d924b9467ffa035af445912e86ea93b (patch) | |
| tree | 751301bbe5e70794459498ca3f9fdaff1ab2154a /iptables/ip6tables.8 | |
| parent | ea5d45dc23a4529a2a45c59ac6c13b61297c789e (diff) | |
nft-shared: support native tcp port delinearize
This extends iptables-nft dissector to decode native tcp
port matching. nft ruleset:
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
tcp sport 12345
tcp sport 12345 tcp dport 6789
tcp sport < 1024
tcp dport >= 1024
}
}
$ iptables-nft-save
-A INPUT -p tcp -m tcp --sport 12345
-A INPUT -p tcp -m tcp --sport 12345 --dport 6789
-A INPUT -p tcp -m tcp --sport 0:1023
-A INPUT -p tcp -m tcp --dport 1024:65535
This would allow to extend iptables-nft to prefer
native payload expressions for --sport,dport in the future.
Also, parse_cmp must not clear the "payload" flag, this is because
cmp-based range expressions will contain following sequence:
payload => reg1
cmp reg1 > minv
cmp reg1 < maxv
... so second cmp would work.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/ip6tables.8')
0 files changed, 0 insertions, 0 deletions