From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft 6/7] tcp: add raw tcp option match support
Date: Thu, 5 Nov 2020 15:11:43 +0100 [thread overview]
Message-ID: <20201105141144.31430-7-fw@strlen.de> (raw)
In-Reply-To: <20201105141144.31430-1-fw@strlen.de>
tcp option @42,16,4 (@kind,offset,length).
Signed-off-by: Florian Westphal <fw@strlen.de>
---
doc/payload-expression.txt | 6 ++++++
src/exthdr.c | 13 +++++++++----
src/parser_bison.y | 5 +++++
src/tcpopt.c | 2 ++
tests/py/any/tcpopt.t | 2 ++
tests/py/any/tcpopt.t.payload | 7 +++++++
6 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 3cfa7791edac..ffd1b671637a 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -591,6 +591,12 @@ TCP Timestamps |
kind, length, tsval, tsecr
|============================
+TCP option matching also supports raw expression syntax to access arbitrary options:
+[verse]
+*tcp option*
+[verse]
+*tcp option* *@*'number'*,*'offset'*,*'length'
+
.IP Options
[options="header"]
|==================
diff --git a/src/exthdr.c b/src/exthdr.c
index 8995ad1775a0..5eb66529b5d7 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -52,10 +52,15 @@ static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx)
*/
unsigned int offset = expr->exthdr.offset / 64;
- if (expr->exthdr.desc == NULL &&
- expr->exthdr.offset == 0 &&
- expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) {
- nft_print(octx, "tcp option %d", expr->exthdr.raw_type);
+ if (expr->exthdr.desc == NULL) {
+ if (expr->exthdr.offset == 0 &&
+ expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) {
+ nft_print(octx, "tcp option %d", expr->exthdr.raw_type);
+ return;
+ }
+
+ nft_print(octx, "tcp option @%u,%u,%u", expr->exthdr.raw_type,
+ expr->exthdr.offset, expr->len);
return;
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 393f66862810..079d8ebe121f 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -5198,6 +5198,11 @@ tcp_hdr_expr : TCP tcp_hdr_field
$$ = tcpopt_expr_alloc(&@$, $3, TCPOPT_COMMON_KIND);
$$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
}
+ | TCP OPTION AT tcp_hdr_option_type COMMA NUM COMMA NUM
+ {
+ $$ = tcpopt_expr_alloc(&@$, $4, 0);
+ tcpopt_init_raw($$, $4, $6, $8, 0);
+ }
;
tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; }
diff --git a/src/tcpopt.c b/src/tcpopt.c
index 1cf97a563bc2..05b5ee6e3a0b 100644
--- a/src/tcpopt.c
+++ b/src/tcpopt.c
@@ -197,6 +197,8 @@ void tcpopt_init_raw(struct expr *expr, uint8_t type, unsigned int off,
if (flags & NFT_EXTHDR_F_PRESENT)
datatype_set(expr, &boolean_type);
+ else
+ datatype_set(expr, &integer_type);
if (type >= array_size(tcpopt_protocols))
return;
diff --git a/tests/py/any/tcpopt.t b/tests/py/any/tcpopt.t
index 7b17014b3003..e759ac6132d9 100644
--- a/tests/py/any/tcpopt.t
+++ b/tests/py/any/tcpopt.t
@@ -31,6 +31,7 @@ tcp option timestamp length 1;ok
tcp option timestamp tsval 1;ok
tcp option timestamp tsecr 1;ok
tcp option 255 missing;ok
+tcp option @255,8,8 255;ok
tcp option foobar;fail
tcp option foo bar;fail
@@ -40,6 +41,7 @@ tcp option eol left 1;fail
tcp option sack window;fail
tcp option sack window 1;fail
tcp option 256 exists;fail
+tcp option @255,8,8 256;fail
tcp option window exists;ok
tcp option window missing;ok
diff --git a/tests/py/any/tcpopt.t.payload b/tests/py/any/tcpopt.t.payload
index 34f8e26c4409..cddba613a088 100644
--- a/tests/py/any/tcpopt.t.payload
+++ b/tests/py/any/tcpopt.t.payload
@@ -523,6 +523,13 @@ inet
[ exthdr load tcpopt 1b @ 255 + 0 present => reg 1 ]
[ cmp eq reg 1 0x00000000 ]
+# tcp option @255,8,8 255
+inet
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ exthdr load tcpopt 1b @ 255 + 1 => reg 1 ]
+ [ cmp eq reg 1 0x000000ff ]
+
# tcp option window exists
inet
[ meta load l4proto => reg 1 ]
--
2.26.2
next prev parent reply other threads:[~2020-11-05 14:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 14:11 [PATCH nft 0/7] rework tcp option handling Florian Westphal
2020-11-05 14:11 ` [PATCH nft 1/7] parser: merge sack-perm/sack-permitted and maxseg/mss Florian Westphal
2020-11-05 15:22 ` Jeremy Sowden
2020-11-05 15:45 ` Florian Westphal
2020-11-05 14:11 ` [PATCH nft 2/7] tcpopts: clean up parser -> tcpopt.c plumbing Florian Westphal
2020-11-05 14:11 ` [PATCH nft 3/7] tcpopt: rename noop to nop Florian Westphal
2020-11-05 14:11 ` [PATCH nft 4/7] tcpopt: split tcpopt_hdr_fields into per-option enum Florian Westphal
2020-11-05 14:11 ` [PATCH nft 5/7] tcpopt: allow to check for presence of any tcp option Florian Westphal
2020-11-05 19:11 ` Jeremy Sowden
2020-11-05 20:57 ` Jeremy Sowden
2020-11-09 11:10 ` Florian Westphal
2020-11-09 11:38 ` Jeremy Sowden
2020-11-05 14:11 ` Florian Westphal [this message]
2020-11-05 14:11 ` [PATCH nft 7/7] json: tcp: add raw tcp option match support Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201105141144.31430-7-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).