Detect payload load of th->flags and convert it to xt tcp match
structure.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
iptables/nft-shared.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 19c82854f758..74f08c8966ee 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -751,6 +751,22 @@ static void nft_complete_th_port_range(struct nft_xt_ctx *ctx,
}
}
+static void nft_complete_tcp_flags(struct nft_xt_ctx *ctx,
+ struct iptables_command_state *cs,
+ uint8_t op,
+ uint8_t flags,
+ uint8_t mask)
+{
+ struct xt_tcp *tcp = nft_tcp_match(ctx, cs);
+
+ if (!tcp)
+ return;
+
+ if (op == NFT_CMP_NEQ)
+ tcp->invflags |= XT_TCP_INV_FLAGS;
+ tcp->flg_cmp = flags;
+ tcp->flg_mask = mask;
+}
static void nft_complete_transport(struct nft_xt_ctx *ctx,
struct nftnl_expr *e, void *data)
@@ -797,6 +813,18 @@ static void nft_complete_transport(struct nft_xt_ctx *ctx,
return;
}
break;
+ case 13: /* th->flags */
+ if (len == 1 && proto == IPPROTO_TCP) {
+ uint8_t flags = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA);
+ uint8_t mask = ~0;
+
+ if (ctx->flags & NFT_XT_CTX_BITWISE) {
+ memcpy(&mask, &ctx->bitwise.mask, sizeof(mask));
+ ctx->flags &= ~NFT_XT_CTX_BITWISE;
+ }
+ nft_complete_tcp_flags(ctx, cs, op, flags, mask);
+ }
+ return;
}
}
--
2.34.1
