On Thu, Dec 23, 2021 at 12:50:17AM +0100, Pablo Neira Ayuso wrote:
> On Mon, Dec 20, 2021 at 03:32:47PM +0100, Florian Westphal wrote:
> > This allows to replace a tcp option with nop padding to selectively disable
> > a particular tcp option.
> >
> > Optstrip mode is chosen when userspace passes the exthdr expression with
> > neither a source nor a destination register attribute.
> >
> > This is identical to xtables TCPOPTSTRIP extension.
>
> Is it worth to retain the bitmap approach?
Probably a new nested attribute to store the list of types that you
would like to strip:
NFTA_EXTHDR_TYPES
NFTA_EXTHDR_TYPE
NFTA_EXTHDR_TYPE
>From the kernel, you could build a bitmap (just like TCPOPTSTRIP)
based on this list.
>From the dump path, you can iterate over the bitmap to check for
bitset to build this nest.
> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> > ---
> > proposed userspace syntax is:
> >
> > nft add rule f in delete tcp option sack-perm
>
> nft add rule f in tcp option reset sack-perm,...
