[PATCH iptables-nft 6/7] nft-shared: add tcp flag dissection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Detect payload load of th->flags and convert it to xt tcp match
structure.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 iptables/nft-shared.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 19c82854f758..74f08c8966ee 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -751,6 +751,22 @@ static void nft_complete_th_port_range(struct nft_xt_ctx *ctx,
 	}
 }
 
+static void nft_complete_tcp_flags(struct nft_xt_ctx *ctx,
+				   struct iptables_command_state *cs,
+				   uint8_t op,
+				   uint8_t flags,
+				   uint8_t mask)
+{
+	struct xt_tcp *tcp = nft_tcp_match(ctx, cs);
+
+	if (!tcp)
+		return;
+
+	if (op == NFT_CMP_NEQ)
+		tcp->invflags |= XT_TCP_INV_FLAGS;
+	tcp->flg_cmp = flags;
+	tcp->flg_mask = mask;
+}
 
 static void nft_complete_transport(struct nft_xt_ctx *ctx,
 				   struct nftnl_expr *e, void *data)
@@ -797,6 +813,18 @@ static void nft_complete_transport(struct nft_xt_ctx *ctx,
 			return;
 		}
 		break;
+	case 13: /* th->flags */
+		if (len == 1 && proto == IPPROTO_TCP) {
+			uint8_t flags = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA);
+			uint8_t mask = ~0;
+
+			if (ctx->flags & NFT_XT_CTX_BITWISE) {
+				memcpy(&mask, &ctx->bitwise.mask, sizeof(mask));
+				ctx->flags &= ~NFT_XT_CTX_BITWISE;
+			}
+			nft_complete_tcp_flags(ctx, cs, op, flags, mask);
+		}
+		return;
 	}
 }
 
-- 
2.34.1




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux