diff options
author | Fernando Fernandez Mancera <ffmancera@riseup.net> | 2019-06-22 19:12:08 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-07-17 10:22:39 +0200 |
commit | 1188a69604c3df2a63daca9e735fdb535e8f6b63 (patch) | |
tree | 21887d78f5b30023546f40da96aaa4cf256a59e5 /include/linux/netfilter/nf_tables.h | |
parent | 82cc676289803cfd1e69dfeaa4658d57a1547a86 (diff) |
src: introduce SYNPROXY matching
Add support for "synproxy" statement. For example (for TCP port 8888):
table ip x {
chain y {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain z {
type filter hook input priority filter; policy accept;
tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
ct state invalid drop
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/linux/netfilter/nf_tables.h')
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 709fbc8d..adc08935 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1544,6 +1544,23 @@ enum nft_osf_attributes { #define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1) /** + * enum nft_synproxy_attributes - nftables synproxy expression + * netlink attributes + * + * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16) + * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8) + * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32) + */ +enum nft_synproxy_attributes { + NFTA_SYNPROXY_UNSPEC, + NFTA_SYNPROXY_MSS, + NFTA_SYNPROXY_WSCALE, + NFTA_SYNPROXY_FLAGS, + __NFTA_SYNPROXY_MAX, +}; +#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1) + +/** * enum nft_device_attributes - nf_tables device netlink attributes * * @NFTA_DEVICE_NAME: name of this device (NLA_STRING) |