From 1188a69604c3df2a63daca9e735fdb535e8f6b63 Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Sat, 22 Jun 2019 19:12:08 +0200 Subject: src: introduce SYNPROXY matching Add support for "synproxy" statement. For example (for TCP port 8888): table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain z { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } } Signed-off-by: Fernando Fernandez Mancera Signed-off-by: Pablo Neira Ayuso --- include/json.h | 1 + include/linux/netfilter/nf_synproxy.h | 23 +++++++++++++++++++++++ include/linux/netfilter/nf_tables.h | 17 +++++++++++++++++ include/statement.h | 11 +++++++++++ 4 files changed, 52 insertions(+) create mode 100644 include/linux/netfilter/nf_synproxy.h (limited to 'include') diff --git a/include/json.h b/include/json.h index c724c299..ce57c9f7 100644 --- a/include/json.h +++ b/include/json.h @@ -83,6 +83,7 @@ json_t *queue_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *verdict_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *connlimit_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *tproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx); +json_t *synproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx); int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd); diff --git a/include/linux/netfilter/nf_synproxy.h b/include/linux/netfilter/nf_synproxy.h new file mode 100644 index 00000000..0e7c3919 --- /dev/null +++ b/include/linux/netfilter/nf_synproxy.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _NF_SYNPROXY_H +#define _NF_SYNPROXY_H + +#include + +#define NF_SYNPROXY_OPT_MSS 0x01 +#define NF_SYNPROXY_OPT_WSCALE 0x02 +#define NF_SYNPROXY_OPT_SACK_PERM 0x04 +#define NF_SYNPROXY_OPT_TIMESTAMP 0x08 +#define NF_SYNPROXY_OPT_ECN 0x10 +#define NF_SYNPROXY_FLAGMASK (NF_SYNPROXY_OPT_MSS | \ + NF_SYNPROXY_OPT_WSCALE | \ + NF_SYNPROXY_OPT_SACK_PERM | \ + NF_SYNPROXY_OPT_TIMESTAMP) + +struct nf_synproxy_info { + __u8 options; + __u8 wscale; + __u16 mss; +}; + +#endif /* _NF_SYNPROXY_H */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 709fbc8d..adc08935 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1543,6 +1543,23 @@ enum nft_osf_attributes { }; #define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1) +/** + * enum nft_synproxy_attributes - nftables synproxy expression + * netlink attributes + * + * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16) + * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8) + * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32) + */ +enum nft_synproxy_attributes { + NFTA_SYNPROXY_UNSPEC, + NFTA_SYNPROXY_MSS, + NFTA_SYNPROXY_WSCALE, + NFTA_SYNPROXY_FLAGS, + __NFTA_SYNPROXY_MAX, +}; +#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1) + /** * enum nft_device_attributes - nf_tables device netlink attributes * diff --git a/include/statement.h b/include/statement.h index 6fb5cf15..585908de 100644 --- a/include/statement.h +++ b/include/statement.h @@ -204,6 +204,14 @@ struct map_stmt { extern struct stmt *map_stmt_alloc(const struct location *loc); +struct synproxy_stmt { + uint16_t mss; + uint8_t wscale; + uint32_t flags; +}; + +extern struct stmt *synproxy_stmt_alloc(const struct location *loc); + struct meter_stmt { struct expr *set; struct expr *key; @@ -271,6 +279,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc); * @STMT_FLOW_OFFLOAD: flow offload statement * @STMT_CONNLIMIT: connection limit statement * @STMT_MAP: map statement + * @STMT_SYNPROXY: synproxy statement */ enum stmt_types { STMT_INVALID, @@ -298,6 +307,7 @@ enum stmt_types { STMT_FLOW_OFFLOAD, STMT_CONNLIMIT, STMT_MAP, + STMT_SYNPROXY, }; /** @@ -362,6 +372,7 @@ struct stmt { struct objref_stmt objref; struct flow_stmt flow; struct map_stmt map; + struct synproxy_stmt synproxy; }; }; -- cgit v1.2.3