Hi,
I have been working on the synproxy expression. In my opinion, there is
no way to use sets or maps with synproxy so I think it should be a
statement.
This patch is almost finished, but I have been dealing with the
following error.
# nft add table ip foo
# nft add chain ip foo bar
# nft add rule ip foo bar synproxy mss 1460 wscale 7
> Error: Could not process rule: Numerical result out of range
> add rule ip foo bar synproxy mss 10 wscale 2
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I have tried to debug it using libnftables directly. And I still getting
the same error. The problem should be in the libnftnl or nf-next patch.
I am probably missing something. Any suggestion? Thanks :-)
On 6/17/19 12:32 PM, Fernando Fernandez Mancera wrote:
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx>
> ---
> include/linux/netfilter/nf_SYNPROXY.h | 23 ++++++++++++
> include/linux/netfilter/nf_tables.h | 16 +++++++++
> include/statement.h | 11 ++++++
> src/evaluate.c | 16 +++++++++
> src/netlink_delinearize.c | 17 +++++++++
> src/netlink_linearize.c | 17 +++++++++
> src/parser_bison.y | 48 +++++++++++++++++++++++++
> src/scanner.l | 6 ++++
> src/statement.c | 50 +++++++++++++++++++++++++++
> 9 files changed, 204 insertions(+)
> create mode 100644 include/linux/netfilter/nf_SYNPROXY.h
>
> diff --git a/include/linux/netfilter/nf_SYNPROXY.h b/include/linux/netfilter/nf_SYNPROXY.h
> new file mode 100644
> index 0000000..0e7c391
> --- /dev/null
> +++ b/include/linux/netfilter/nf_SYNPROXY.h
> @@ -0,0 +1,23 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _NF_SYNPROXY_H
> +#define _NF_SYNPROXY_H
> +
> +#include <linux/types.h>
> +
> +#define NF_SYNPROXY_OPT_MSS 0x01
> +#define NF_SYNPROXY_OPT_WSCALE 0x02
> +#define NF_SYNPROXY_OPT_SACK_PERM 0x04
> +#define NF_SYNPROXY_OPT_TIMESTAMP 0x08
> +#define NF_SYNPROXY_OPT_ECN 0x10
> +#define NF_SYNPROXY_FLAGMASK (NF_SYNPROXY_OPT_MSS | \
> + NF_SYNPROXY_OPT_WSCALE | \
> + NF_SYNPROXY_OPT_SACK_PERM | \
> + NF_SYNPROXY_OPT_TIMESTAMP)
> +
> +struct nf_synproxy_info {
> + __u8 options;
> + __u8 wscale;
> + __u16 mss;
> +};
> +
> +#endif /* _NF_SYNPROXY_H */
> diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
> index 7bdb234..d9ccf3f 100644
> --- a/include/linux/netfilter/nf_tables.h
> +++ b/include/linux/netfilter/nf_tables.h
> @@ -1529,6 +1529,22 @@ enum nft_osf_attributes {
> };
> #define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
>
> +/**
> + * enum nft_synproxy_attributes - nftables synproxy expression
> + * netlink attributes
> + *
> + * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16)
> + * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8)
> + * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32)
> + */
> +enum nft_synproxy_attributes {
> + NFTA_SYNPROXY_MSS,
> + NFTA_SYNPROXY_WSCALE,
> + NFTA_SYNPROXY_FLAGS,
> + __NFTA_SYNPROXY_MAX,
> +};
> +#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1)
> +
> /**
> * enum nft_device_attributes - nf_tables device netlink attributes
> *
> diff --git a/include/statement.h b/include/statement.h
> index 91d6e0e..f789ced 100644
> --- a/include/statement.h
> +++ b/include/statement.h
> @@ -203,6 +203,14 @@ struct map_stmt {
>
> extern struct stmt *map_stmt_alloc(const struct location *loc);
>
> +struct synproxy_stmt {
> + uint16_t mss;
> + uint8_t wscale;
> + uint32_t flags;
> +};
> +
> +extern struct stmt *synproxy_stmt_alloc(const struct location *loc);
> +
> struct meter_stmt {
> struct expr *set;
> struct expr *key;
> @@ -270,6 +278,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc);
> * @STMT_FLOW_OFFLOAD: flow offload statement
> * @STMT_CONNLIMIT: connection limit statement
> * @STMT_MAP: map statement
> + * @STMT_SYNPROXY: synproxy statement
> */
> enum stmt_types {
> STMT_INVALID,
> @@ -297,6 +306,7 @@ enum stmt_types {
> STMT_FLOW_OFFLOAD,
> STMT_CONNLIMIT,
> STMT_MAP,
> + STMT_SYNPROXY,
> };
>
> /**
> @@ -361,6 +371,7 @@ struct stmt {
> struct objref_stmt objref;
> struct flow_stmt flow;
> struct map_stmt map;
> + struct synproxy_stmt synproxy;
> };
> };
>
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 39101b4..04692b8 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -17,6 +17,7 @@
> #include <linux/netfilter.h>
> #include <linux/netfilter_arp.h>
> #include <linux/netfilter/nf_tables.h>
> +#include <linux/netfilter/nf_SYNPROXY.h>
> #include <linux/netfilter_ipv4.h>
> #include <netinet/ip_icmp.h>
> #include <netinet/icmp6.h>
> @@ -2704,6 +2705,19 @@ static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt)
> return 0;
> }
>
> +static int stmt_evaluate_synproxy(struct eval_ctx *ctx, struct stmt *stmt)
> +{
> + printf("Values of the synproxy expr: %u %u\n", stmt->synproxy.mss, stmt->synproxy.wscale);
> + if (stmt->synproxy.flags != 0 &&
> + !(stmt->synproxy.flags & (NF_SYNPROXY_OPT_MSS |
> + NF_SYNPROXY_OPT_WSCALE |
> + NF_SYNPROXY_OPT_TIMESTAMP |
> + NF_SYNPROXY_OPT_SACK_PERM)))
> + return stmt_error(ctx, stmt, "This flags are not supported for SYNPROXY");
> +
> + return 0;
> +}
> +
> static int stmt_evaluate_dup(struct eval_ctx *ctx, struct stmt *stmt)
> {
> int err;
> @@ -3048,6 +3062,8 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt)
> return stmt_evaluate_objref(ctx, stmt);
> case STMT_MAP:
> return stmt_evaluate_map(ctx, stmt);
> + case STMT_SYNPROXY:
> + return stmt_evaluate_synproxy(ctx, stmt);
> default:
> BUG("unknown statement type %s\n", stmt->ops->name);
> }
> diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
> index 0270e1f..2785325 100644
> --- a/src/netlink_delinearize.c
> +++ b/src/netlink_delinearize.c
> @@ -1010,6 +1010,22 @@ out_err:
> xfree(stmt);
> }
>
> +static void netlink_parse_synproxy(struct netlink_parse_ctx *ctx,
> + const struct location *loc,
> + const struct nftnl_expr *nle)
> +{
> + struct stmt *stmt;
> +
> + stmt = synproxy_stmt_alloc(loc);
> + stmt->synproxy.mss = nftnl_expr_get_u16(nle, NFTNL_EXPR_SYNPROXY_MSS);
> + stmt->synproxy.wscale = nftnl_expr_get_u8(nle,
> + NFTNL_EXPR_SYNPROXY_WSCALE);
> + stmt->synproxy.flags = nftnl_expr_get_u32(nle,
> + NFTNL_EXPR_SYNPROXY_FLAGS);
> +
> + ctx->stmt = stmt;
> +}
> +
> static void netlink_parse_tproxy(struct netlink_parse_ctx *ctx,
> const struct location *loc,
> const struct nftnl_expr *nle)
> @@ -1476,6 +1492,7 @@ static const struct {
> { .name = "tcpopt", .parse = netlink_parse_exthdr },
> { .name = "flow_offload", .parse = netlink_parse_flow_offload },
> { .name = "xfrm", .parse = netlink_parse_xfrm },
> + { .name = "synproxy", .parse = netlink_parse_synproxy },
> };
>
> static int netlink_parse_expr(const struct nftnl_expr *nle,
> diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
> index 2c6aa64..498326d 100644
> --- a/src/netlink_linearize.c
> +++ b/src/netlink_linearize.c
> @@ -1141,6 +1141,21 @@ static void netlink_gen_tproxy_stmt(struct netlink_linearize_ctx *ctx,
> nftnl_rule_add_expr(ctx->nlr, nle);
> }
>
> +static void netlink_gen_synproxy_stmt(struct netlink_linearize_ctx *ctx,
> + const struct stmt *stmt)
> +{
> + struct nftnl_expr *nle;
> +
> + nle = alloc_nft_expr("synproxy");
> + nftnl_expr_set_u16(nle, NFTNL_EXPR_SYNPROXY_MSS, stmt->synproxy.mss);
> + nftnl_expr_set_u8(nle, NFTNL_EXPR_SYNPROXY_WSCALE,
> + stmt->synproxy.wscale);
> + nftnl_expr_set_u32(nle, NFTNL_EXPR_SYNPROXY_FLAGS,
> + stmt->synproxy.flags);
> +
> + nftnl_rule_add_expr(ctx->nlr, nle);
> +}
> +
> static void netlink_gen_dup_stmt(struct netlink_linearize_ctx *ctx,
> const struct stmt *stmt)
> {
> @@ -1382,6 +1397,8 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
> return netlink_gen_nat_stmt(ctx, stmt);
> case STMT_TPROXY:
> return netlink_gen_tproxy_stmt(ctx, stmt);
> + case STMT_SYNPROXY:
> + return netlink_gen_synproxy_stmt(ctx, stmt);
> case STMT_DUP:
> return netlink_gen_dup_stmt(ctx, stmt);
> case STMT_QUEUE:
> diff --git a/src/parser_bison.y b/src/parser_bison.y
> index 97a48f3..61e0888 100644
> --- a/src/parser_bison.y
> +++ b/src/parser_bison.y
> @@ -23,6 +23,7 @@
> #include <linux/netfilter/nf_nat.h>
> #include <linux/netfilter/nf_log.h>
> #include <linux/netfilter/nfnetlink_osf.h>
> +#include <linux/netfilter/nf_SYNPROXY.h>
> #include <linux/xfrm.h>
> #include <netinet/ip_icmp.h>
> #include <netinet/icmp6.h>
> @@ -200,6 +201,12 @@ int nft_lex(void *, void *, void *);
>
> %token OSF "osf"
>
> +%token SYNPROXY "synproxy"
> +%token MSS "mss"
> +%token WSCALE "wscale"
> +%token TIMESTAMP "timestamp"
> +%token SACKPERM "sack-perm"
> +
> %token HOOK "hook"
> %token DEVICE "device"
> %token DEVICES "devices"
> @@ -601,6 +608,9 @@ int nft_lex(void *, void *, void *);
> %type <val> nf_nat_flags nf_nat_flag offset_opt
> %type <stmt> tproxy_stmt
> %destructor { stmt_free($$); } tproxy_stmt
> +%type <stmt> synproxy_stmt synproxy_stmt_alloc
> +%destructor { stmt_free($$); } synproxy_stmt synproxy_stmt_alloc
> +
>
> %type <stmt> queue_stmt queue_stmt_alloc
> %destructor { stmt_free($$); } queue_stmt queue_stmt_alloc
> @@ -2245,6 +2255,7 @@ stmt : verdict_stmt
> | fwd_stmt
> | set_stmt
> | map_stmt
> + | synproxy_stmt
> ;
>
> verdict_stmt : verdict_expr
> @@ -2675,6 +2686,43 @@ tproxy_stmt : TPROXY TO stmt_expr
> }
> ;
>
> +synproxy_stmt : synproxy_stmt_alloc
> + | synproxy_stmt_alloc synproxy_args
> + ;
> +
> +synproxy_stmt_alloc : SYNPROXY
> + {
> + $$ = synproxy_stmt_alloc(&@$);
> + }
> + ;
> +
> +synproxy_args : synproxy_arg
> + {
> + $<stmt>$ = $<stmt>0;
> + }
> + | synproxy_args synproxy_arg
> + ;
> +
> +synproxy_arg : MSS NUM
> + {
> + $<stmt>0->synproxy.mss = $2;
> + $<stmt>0->synproxy.flags |= NF_SYNPROXY_OPT_MSS;
> + }
> + | WSCALE NUM
> + {
> + $<stmt>0->synproxy.wscale = $2;
> + $<stmt>0->synproxy.flags |= NF_SYNPROXY_OPT_WSCALE;
> + }
> + | TIMESTAMP
> + {
> + $<stmt>0->synproxy.flags |= NF_SYNPROXY_OPT_TIMESTAMP;
> + }
> + | SACKPERM
> + {
> + $<stmt>0->synproxy.flags |= NF_SYNPROXY_OPT_SACK_PERM;
> + }
> + ;
> +
> primary_stmt_expr : symbol_expr { $$ = $1; }
> | integer_expr { $$ = $1; }
> | boolean_expr { $$ = $1; }
> diff --git a/src/scanner.l b/src/scanner.l
> index d1f6e87..e990cc6 100644
> --- a/src/scanner.l
> +++ b/src/scanner.l
> @@ -543,6 +543,12 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
>
> "osf" { return OSF; }
>
> +"synproxy" { return SYNPROXY; }
> +"mss" { return MSS; }
> +"wscale" { return WSCALE; }
> +"timestamp" { return TIMESTAMP; }
> +"sack-perm" { return SACKPERM; }
> +
> "notrack" { return NOTRACK; }
>
> "options" { return OPTIONS; }
> diff --git a/src/statement.c b/src/statement.c
> index a9e8b3a..3489e3e 100644
> --- a/src/statement.c
> +++ b/src/statement.c
> @@ -29,6 +29,7 @@
> #include <netinet/in.h>
> #include <linux/netfilter/nf_nat.h>
> #include <linux/netfilter/nf_log.h>
> +#include <linux/netfilter/nf_SYNPROXY.h>
>
> struct stmt *stmt_alloc(const struct location *loc,
> const struct stmt_ops *ops)
> @@ -877,3 +878,52 @@ struct stmt *xt_stmt_alloc(const struct location *loc)
> {
> return stmt_alloc(loc, &xt_stmt_ops);
> }
> +
> +static const char *synproxy_sack_to_str(const uint32_t flags)
> +{
> + if (flags & NF_SYNPROXY_OPT_SACK_PERM)
> + return " sack-perm";
> +
> + return "";
> +}
> +
> +static const char *synproxy_timestamp_to_str(const uint32_t flags)
> +{
> + if (flags & NF_SYNPROXY_OPT_TIMESTAMP)
> + return " timestamp";
> +
> + return "";
> +}
> +
> +static void synproxy_stmt_print(const struct stmt *stmt,
> + struct output_ctx *octx)
> +{
> + uint32_t flags = stmt->synproxy.flags;
> + const char *ts_str = synproxy_timestamp_to_str(flags);
> + const char *sack_str = synproxy_sack_to_str(flags);
> +
> + if (flags & (NF_SYNPROXY_OPT_MSS | NF_SYNPROXY_OPT_WSCALE))
> + nft_print(octx, "synproxy mss %u wscale %u%s%s",
> + stmt->synproxy.mss, stmt->synproxy.wscale,
> + ts_str, sack_str);
> + else if (flags & NF_SYNPROXY_OPT_MSS)
> + nft_print(octx, "synproxy mss %u%s%s", stmt->synproxy.mss,
> + ts_str, sack_str);
> + else if (flags & NF_SYNPROXY_OPT_WSCALE)
> + nft_print(octx, "synproxy wscale %u%s%s", stmt->synproxy.wscale,
> + ts_str, sack_str);
> + else
> + nft_print(octx, "synproxy%s%s", ts_str, sack_str);
> +
> +}
> +
> +static const struct stmt_ops synproxy_stmt_ops = {
> + .type = STMT_SYNPROXY,
> + .name = "synproxy",
> + .print = synproxy_stmt_print,
> +};
> +
> +struct stmt *synproxy_stmt_alloc(const struct location *loc)
> +{
> + return stmt_alloc(loc, &synproxy_stmt_ops);
> +}
>
