diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-11-02 14:01:58 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-11-08 10:53:59 +0100 |
commit | b67abc51ba6f78be79f344dfda9c6d0753d79aea (patch) | |
tree | 974a155489e69c0a9a5c9f3ee209ca5bec2d3c99 /src/netlink_linearize.c | |
parent | dad3338f1f76a4a5bd782bae9c6b48941dfb1e31 (diff) |
src: raw payload match and mangle on inner header / payload data
This patch adds support to match on inner header / payload data:
# nft add rule x y @ih,32,32 0x14000000 counter
you can also mangle payload data:
# nft add rule x y @ih,32,32 set 0x14000000 counter
This update triggers a checksum update at the layer 4 header via
csum_flags, mangling odd bytes is also aligned to 16-bits.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_linearize.c')
-rw-r--r-- | src/netlink_linearize.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 454b9ba3..111102fd 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -1028,8 +1028,9 @@ static void netlink_gen_payload_stmt(struct netlink_linearize_ctx *ctx, nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_CSUM_OFFSET, csum_off / BITS_PER_BYTE); } - if (expr->payload.base == PROTO_BASE_NETWORK_HDR && desc && - payload_needs_l4csum_update_pseudohdr(expr, desc)) + if ((expr->payload.base == PROTO_BASE_NETWORK_HDR && desc && + payload_needs_l4csum_update_pseudohdr(expr, desc)) || + expr->payload.base == PROTO_BASE_INNER_HDR) nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_FLAGS, NFT_PAYLOAD_L4CSUM_PSEUDOHDR); |