From 1188a69604c3df2a63daca9e735fdb535e8f6b63 Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Sat, 22 Jun 2019 19:12:08 +0200 Subject: src: introduce SYNPROXY matching Add support for "synproxy" statement. For example (for TCP port 8888): table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain z { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } } Signed-off-by: Fernando Fernandez Mancera Signed-off-by: Pablo Neira Ayuso --- src/json.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'src/json.c') diff --git a/src/json.c b/src/json.c index 47543768..96ba557a 100644 --- a/src/json.c +++ b/src/json.c @@ -16,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -1466,6 +1467,34 @@ json_t *tproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx) return json_pack("{s:o}", "tproxy", root); } +json_t *synproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx) +{ + json_t *root = json_object(), *flags = json_array(); + + if (stmt->synproxy.flags & NF_SYNPROXY_OPT_MSS) + json_object_set_new(root, "mss", + json_integer(stmt->synproxy.mss)); + if (stmt->synproxy.flags & NF_SYNPROXY_OPT_WSCALE) + json_object_set_new(root, "wscale", + json_integer(stmt->synproxy.wscale)); + if (stmt->synproxy.flags & NF_SYNPROXY_OPT_TIMESTAMP) + json_array_append_new(flags, json_string("timestamp")); + if (stmt->synproxy.flags & NF_SYNPROXY_OPT_SACK_PERM) + json_array_append_new(flags, json_string("sack-perm")); + + if (json_array_size(flags) > 0) + json_object_set_new(root, "flags", flags); + else + json_decref(flags); + + if (!json_object_size(root)) { + json_decref(root); + root = json_null(); + } + + return json_pack("{s:o}", "synproxy", root); +} + static json_t *table_print_json_full(struct netlink_ctx *ctx, struct table *table) { -- cgit v1.2.3