|
 |
4e0227 |
From 267d86b62132a009badd57b2ffcffed6ae682a1e Mon Sep 17 00:00:00 2001
|
|
|
4e0227 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
4e0227 |
Date: Mon, 12 Jul 2021 17:44:08 +0200
|
|
|
4e0227 |
Subject: [PATCH] tcp: add raw tcp option match support
|
|
|
4e0227 |
|
|
|
4e0227 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1979334
|
|
|
4e0227 |
Upstream Status: nftables commit 881d8cb21c0b9
|
|
|
4e0227 |
|
|
|
4e0227 |
commit 881d8cb21c0b9168787b932f41b801593bde2216
|
|
|
4e0227 |
Author: Florian Westphal <fw@strlen.de>
|
|
|
4e0227 |
Date: Mon Nov 2 20:10:25 2020 +0100
|
|
|
4e0227 |
|
|
|
4e0227 |
tcp: add raw tcp option match support
|
|
|
4e0227 |
|
|
|
4e0227 |
tcp option @42,16,4 (@kind,offset,length).
|
|
|
4e0227 |
|
|
|
4e0227 |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
4e0227 |
---
|
|
|
4e0227 |
doc/payload-expression.txt | 6 ++++++
|
|
|
4e0227 |
src/exthdr.c | 13 +++++++++----
|
|
|
4e0227 |
src/parser_bison.y | 5 +++++
|
|
|
4e0227 |
src/tcpopt.c | 2 ++
|
|
|
4e0227 |
tests/py/any/tcpopt.t | 2 ++
|
|
|
4e0227 |
tests/py/any/tcpopt.t.payload | 7 +++++++
|
|
|
4e0227 |
6 files changed, 31 insertions(+), 4 deletions(-)
|
|
|
4e0227 |
|
|
|
4e0227 |
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
|
|
|
4e0227 |
index 3a07321..b6d2a28 100644
|
|
|
4e0227 |
--- a/doc/payload-expression.txt
|
|
|
4e0227 |
+++ b/doc/payload-expression.txt
|
|
|
4e0227 |
@@ -591,6 +591,12 @@ TCP Timestamps |
|
|
|
4e0227 |
kind, length, tsval, tsecr
|
|
|
4e0227 |
|============================
|
|
|
4e0227 |
|
|
|
4e0227 |
+TCP option matching also supports raw expression syntax to access arbitrary options:
|
|
|
4e0227 |
+[verse]
|
|
|
4e0227 |
+*tcp option*
|
|
|
4e0227 |
+[verse]
|
|
|
4e0227 |
+*tcp option* *@*'number'*,*'offset'*,*'length'
|
|
|
4e0227 |
+
|
|
|
4e0227 |
.IP Options
|
|
|
4e0227 |
[options="header"]
|
|
|
4e0227 |
|==================
|
|
|
4e0227 |
diff --git a/src/exthdr.c b/src/exthdr.c
|
|
|
4e0227 |
index 68d5aa5..5c75720 100644
|
|
|
4e0227 |
--- a/src/exthdr.c
|
|
|
4e0227 |
+++ b/src/exthdr.c
|
|
|
4e0227 |
@@ -32,10 +32,15 @@ static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx)
|
|
|
4e0227 |
*/
|
|
|
4e0227 |
unsigned int offset = expr->exthdr.offset / 64;
|
|
|
4e0227 |
|
|
|
4e0227 |
- if (expr->exthdr.desc == NULL &&
|
|
|
4e0227 |
- expr->exthdr.offset == 0 &&
|
|
|
4e0227 |
- expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) {
|
|
|
4e0227 |
- nft_print(octx, "tcp option %d", expr->exthdr.raw_type);
|
|
|
4e0227 |
+ if (expr->exthdr.desc == NULL) {
|
|
|
4e0227 |
+ if (expr->exthdr.offset == 0 &&
|
|
|
4e0227 |
+ expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) {
|
|
|
4e0227 |
+ nft_print(octx, "tcp option %d", expr->exthdr.raw_type);
|
|
|
4e0227 |
+ return;
|
|
|
4e0227 |
+ }
|
|
|
4e0227 |
+
|
|
|
4e0227 |
+ nft_print(octx, "tcp option @%u,%u,%u", expr->exthdr.raw_type,
|
|
|
4e0227 |
+ expr->exthdr.offset, expr->len);
|
|
|
4e0227 |
return;
|
|
|
4e0227 |
}
|
|
|
4e0227 |
|
|
|
4e0227 |
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
|
|
4e0227 |
index 4ea9364..5aedc55 100644
|
|
|
4e0227 |
--- a/src/parser_bison.y
|
|
|
4e0227 |
+++ b/src/parser_bison.y
|
|
|
4e0227 |
@@ -4718,6 +4718,11 @@ tcp_hdr_expr : TCP tcp_hdr_field
|
|
|
4e0227 |
$$ = tcpopt_expr_alloc(&@$, $3, TCPOPT_COMMON_KIND);
|
|
|
4e0227 |
$$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
|
|
|
4e0227 |
}
|
|
|
4e0227 |
+ | TCP OPTION AT tcp_hdr_option_type COMMA NUM COMMA NUM
|
|
|
4e0227 |
+ {
|
|
|
4e0227 |
+ $$ = tcpopt_expr_alloc(&@$, $4, 0);
|
|
|
4e0227 |
+ tcpopt_init_raw($$, $4, $6, $8, 0);
|
|
|
4e0227 |
+ }
|
|
|
4e0227 |
;
|
|
|
4e0227 |
|
|
|
4e0227 |
tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; }
|
|
|
4e0227 |
diff --git a/src/tcpopt.c b/src/tcpopt.c
|
|
|
4e0227 |
index 1cf97a5..05b5ee6 100644
|
|
|
4e0227 |
--- a/src/tcpopt.c
|
|
|
4e0227 |
+++ b/src/tcpopt.c
|
|
|
4e0227 |
@@ -197,6 +197,8 @@ void tcpopt_init_raw(struct expr *expr, uint8_t type, unsigned int off,
|
|
|
4e0227 |
|
|
|
4e0227 |
if (flags & NFT_EXTHDR_F_PRESENT)
|
|
|
4e0227 |
datatype_set(expr, &boolean_type);
|
|
|
4e0227 |
+ else
|
|
|
4e0227 |
+ datatype_set(expr, &integer_type);
|
|
|
4e0227 |
|
|
|
4e0227 |
if (type >= array_size(tcpopt_protocols))
|
|
|
4e0227 |
return;
|
|
|
4e0227 |
diff --git a/tests/py/any/tcpopt.t b/tests/py/any/tcpopt.t
|
|
|
4e0227 |
index 7b17014..e759ac6 100644
|
|
|
4e0227 |
--- a/tests/py/any/tcpopt.t
|
|
|
4e0227 |
+++ b/tests/py/any/tcpopt.t
|
|
|
4e0227 |
@@ -31,6 +31,7 @@ tcp option timestamp length 1;ok
|
|
|
4e0227 |
tcp option timestamp tsval 1;ok
|
|
|
4e0227 |
tcp option timestamp tsecr 1;ok
|
|
|
4e0227 |
tcp option 255 missing;ok
|
|
|
4e0227 |
+tcp option @255,8,8 255;ok
|
|
|
4e0227 |
|
|
|
4e0227 |
tcp option foobar;fail
|
|
|
4e0227 |
tcp option foo bar;fail
|
|
|
4e0227 |
@@ -40,6 +41,7 @@ tcp option eol left 1;fail
|
|
|
4e0227 |
tcp option sack window;fail
|
|
|
4e0227 |
tcp option sack window 1;fail
|
|
|
4e0227 |
tcp option 256 exists;fail
|
|
|
4e0227 |
+tcp option @255,8,8 256;fail
|
|
|
4e0227 |
|
|
|
4e0227 |
tcp option window exists;ok
|
|
|
4e0227 |
tcp option window missing;ok
|
|
|
4e0227 |
diff --git a/tests/py/any/tcpopt.t.payload b/tests/py/any/tcpopt.t.payload
|
|
|
4e0227 |
index 34f8e26..cddba61 100644
|
|
|
4e0227 |
--- a/tests/py/any/tcpopt.t.payload
|
|
|
4e0227 |
+++ b/tests/py/any/tcpopt.t.payload
|
|
|
4e0227 |
@@ -523,6 +523,13 @@ inet
|
|
|
4e0227 |
[ exthdr load tcpopt 1b @ 255 + 0 present => reg 1 ]
|
|
|
4e0227 |
[ cmp eq reg 1 0x00000000 ]
|
|
|
4e0227 |
|
|
|
4e0227 |
+# tcp option @255,8,8 255
|
|
|
4e0227 |
+inet
|
|
|
4e0227 |
+ [ meta load l4proto => reg 1 ]
|
|
|
4e0227 |
+ [ cmp eq reg 1 0x00000006 ]
|
|
|
4e0227 |
+ [ exthdr load tcpopt 1b @ 255 + 1 => reg 1 ]
|
|
|
4e0227 |
+ [ cmp eq reg 1 0x000000ff ]
|
|
|
4e0227 |
+
|
|
|
4e0227 |
# tcp option window exists
|
|
|
4e0227 |
inet
|
|
|
4e0227 |
[ meta load l4proto => reg 1 ]
|
|
|
4e0227 |
--
|
|
|
4e0227 |
2.31.1
|
|
|
4e0227 |
|