[PATCH nft 0/7] tcp mss mangling support

[PATCH nft 0/7] tcp mss mangling support

[Florian Westphal]

This is the userspace patch set for tcp option mangling.

First two patches add libnftl support for the exthdr and rt code,
remaining patches add nftables frontend support.

[PATCH libnftnl 1/7] exthdr: tcp option set support

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/libnftnl/expr.h             |  1 +
 include/linux/netfilter/nf_tables.h |  4 +++-
 src/expr/exthdr.c                   | 39 ++++++++++++++++++++++++++++++++-----
 3 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index b06d1b176578..76f28fee7b5f 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -158,6 +158,7 @@ enum {
 	NFTNL_EXPR_EXTHDR_LEN,
 	NFTNL_EXPR_EXTHDR_FLAGS,
 	NFTNL_EXPR_EXTHDR_OP,
+	NFTNL_EXPR_EXTHDR_SREG,
 };
 
 enum {
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 683f6f88fcac..4766f5091b5f 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -731,7 +731,8 @@ enum nft_exthdr_op {
  * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32)
  * @NFTA_EXTHDR_LEN: extension header length (NLA_U32)
  * @NFTA_EXTHDR_FLAGS: extension header flags (NLA_U32)
- * @NFTA_EXTHDR_OP: option match type (NLA_U8)
+ * @NFTA_EXTHDR_OP: option match type (NLA_U32)
+ * @NFTA_EXTHDR_SREG: option match type (NLA_U32)
  */
 enum nft_exthdr_attributes {
 	NFTA_EXTHDR_UNSPEC,
@@ -741,6 +742,7 @@ enum nft_exthdr_attributes {
 	NFTA_EXTHDR_LEN,
 	NFTA_EXTHDR_FLAGS,
 	NFTA_EXTHDR_OP,
+	NFTA_EXTHDR_SREG,
 	__NFTA_EXTHDR_MAX
 };
 #define NFTA_EXTHDR_MAX		(__NFTA_EXTHDR_MAX - 1)
diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index d4f166525dc9..75cafbc113f7 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -30,6 +30,7 @@
 
 struct nftnl_expr_exthdr {
 	enum nft_registers	dreg;
+	enum nft_registers	sreg;
 	uint32_t		offset;
 	uint32_t		len;
 	uint8_t			type;
@@ -62,6 +63,9 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_EXTHDR_FLAGS:
 		exthdr->flags = *((uint32_t *)data);
 		break;
+	case NFTNL_EXPR_EXTHDR_SREG:
+		exthdr->sreg = *((uint32_t *)data);
+		break;
 	default:
 		return -1;
 	}
@@ -93,6 +97,9 @@ nftnl_expr_exthdr_get(const struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_EXTHDR_FLAGS:
 		*data_len = sizeof(exthdr->flags);
 		return &exthdr->flags;
+	case NFTNL_EXPR_EXTHDR_SREG:
+		*data_len = sizeof(exthdr->sreg);
+		return &exthdr->sreg;
 	}
 	return NULL;
 }
@@ -111,6 +118,7 @@ static int nftnl_expr_exthdr_cb(const struct nlattr *attr, void *data)
 			abi_breakage();
 		break;
 	case NFTA_EXTHDR_DREG:
+	case NFTA_EXTHDR_SREG:
 	case NFTA_EXTHDR_OFFSET:
 	case NFTA_EXTHDR_LEN:
 	case NFTA_EXTHDR_OP:
@@ -131,6 +139,8 @@ nftnl_expr_exthdr_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
 
 	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_DREG))
 		mnl_attr_put_u32(nlh, NFTA_EXTHDR_DREG, htonl(exthdr->dreg));
+	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_SREG))
+		mnl_attr_put_u32(nlh, NFTA_EXTHDR_SREG, htonl(exthdr->sreg));
 	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_TYPE))
 		mnl_attr_put_u8(nlh, NFTA_EXTHDR_TYPE, exthdr->type);
 	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_OFFSET))
@@ -156,6 +166,10 @@ nftnl_expr_exthdr_parse(struct nftnl_expr *e, struct nlattr *attr)
 		exthdr->dreg = ntohl(mnl_attr_get_u32(tb[NFTA_EXTHDR_DREG]));
 		e->flags |= (1 << NFTNL_EXPR_EXTHDR_DREG);
 	}
+	if (tb[NFTA_EXTHDR_SREG]) {
+		exthdr->sreg = ntohl(mnl_attr_get_u32(tb[NFTA_EXTHDR_SREG]));
+		e->flags |= (1 << NFTNL_EXPR_EXTHDR_SREG);
+	}
 	if (tb[NFTA_EXTHDR_TYPE]) {
 		exthdr->type = mnl_attr_get_u8(tb[NFTA_EXTHDR_TYPE]);
 		e->flags |= (1 << NFTNL_EXPR_EXTHDR_TYPE);
@@ -247,6 +261,10 @@ nftnl_expr_exthdr_json_parse(struct nftnl_expr *e, json_t *root,
 				  err) == 0)
 		nftnl_expr_set_u32(e, NFTNL_EXPR_EXTHDR_DREG, uval32);
 
+	if (nftnl_jansson_parse_reg(root, "sreg", NFTNL_TYPE_U32, &uval32,
+				  err) == 0)
+		nftnl_expr_set_u32(e, NFTNL_EXPR_EXTHDR_SREG, uval32);
+
 	exthdr_type = nftnl_jansson_parse_str(root, "exthdr_type", err);
 	if (exthdr_type != NULL) {
 		type = str2exthdr_type(exthdr_type);
@@ -283,6 +301,8 @@ static int nftnl_expr_exthdr_export(char *buf, size_t len,
 
 	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_DREG))
 		nftnl_buf_u32(&b, type, exthdr->dreg, DREG);
+	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_SREG))
+		nftnl_buf_u32(&b, type, exthdr->dreg, SREG);
 	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_TYPE))
 		nftnl_buf_str(&b, type, type2str(exthdr->type), EXTHDR_TYPE);
 	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_OFFSET))
@@ -301,11 +321,18 @@ static int nftnl_expr_exthdr_snprintf_default(char *buf, size_t len,
 					      const struct nftnl_expr *e)
 {
 	struct nftnl_expr_exthdr *exthdr = nftnl_expr_data(e);
-	return snprintf(buf, len, "load%s %ub @ %u + %u%s => reg %u ",
-			op2str(exthdr->op), exthdr->len, exthdr->type,
-			exthdr->offset,
-			exthdr->flags & NFT_EXTHDR_F_PRESENT ? " present" : "",
-			exthdr->dreg);
+
+	if (e->flags & (1 << NFTNL_EXPR_EXTHDR_DREG))
+		return snprintf(buf, len, "load%s %ub @ %u + %u%s => reg %u ",
+				op2str(exthdr->op), exthdr->len, exthdr->type,
+				exthdr->offset,
+				exthdr->flags & NFT_EXTHDR_F_PRESENT ? " present" : "",
+				exthdr->dreg);
+	else
+		return snprintf(buf, len, "write%s reg %u => %ub @ %u + %u ",
+				op2str(exthdr->op), exthdr->sreg, exthdr->len, exthdr->type,
+				exthdr->offset);
+
 }
 
 static int
@@ -333,6 +360,8 @@ static bool nftnl_expr_exthdr_cmp(const struct nftnl_expr *e1,
 
 	if (e1->flags & (1 << NFTNL_EXPR_EXTHDR_DREG))
 		eq &= (h1->dreg == h2->dreg);
+	if (e1->flags & (1 << NFTNL_EXPR_EXTHDR_SREG))
+		eq &= (h1->sreg == h2->sreg);
 	if (e1->flags & (1 << NFTNL_EXPR_EXTHDR_OFFSET))
 		eq &= (h1->offset == h2->offset);
 	if (e1->flags & (1 << NFTNL_EXPR_EXTHDR_LEN))
-- 
2.13.0

[PATCH libnftnl 2/7] rt: tcpmss get support

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter/nf_tables.h | 1 +
 src/expr/rt.c                       | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 4766f5091b5f..2e174d820190 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -815,6 +815,7 @@ enum nft_rt_keys {
 	NFT_RT_CLASSID,
 	NFT_RT_NEXTHOP4,
 	NFT_RT_NEXTHOP6,
+	NFT_RT_TCPMSS,
 };
 
 /**
diff --git a/src/expr/rt.c b/src/expr/rt.c
index 5088e6630c95..62c01a0be0f5 100644
--- a/src/expr/rt.c
+++ b/src/expr/rt.c
@@ -20,7 +20,7 @@
 #include <libnftnl/rule.h>
 
 #ifndef NFT_RT_MAX
-#define NFT_RT_MAX (NFT_RT_NEXTHOP6 + 1)
+#define NFT_RT_MAX (NFT_RT_TCPMSS + 1)
 #endif
 
 struct nftnl_expr_rt {
@@ -120,6 +120,7 @@ static const char *rt_key2str_array[NFT_RT_MAX] = {
 	[NFT_RT_CLASSID]	= "classid",
 	[NFT_RT_NEXTHOP4]	= "nexthop4",
 	[NFT_RT_NEXTHOP6]	= "nexthop6",
+	[NFT_RT_TCPMSS]		= "tcpmss",
 };
 
 static const char *rt_key2str(uint8_t key)
-- 
2.13.0

[PATCH nft 3/7] exthdr: move print of tcp options to tcpopt.c

[Florian Westphal]

a followup patch will add template type tests (in order
to print short-hand version of tcp mss mangling), it seems
better to not have this in exthdr.c, so move this code to tcpopt.c
first.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/tcpopt.h |  2 ++
 src/exthdr.c     | 32 +++++++++-----------------------
 src/tcpopt.c     | 20 ++++++++++++++++++++
 3 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/include/tcpopt.h b/include/tcpopt.h
index f96c04c6ee93..42e9cf0506e5 100644
--- a/include/tcpopt.h
+++ b/include/tcpopt.h
@@ -14,6 +14,8 @@ extern void tcpopt_init_raw(struct expr *expr, uint8_t type,
 extern bool tcpopt_find_template(struct expr *expr, const struct expr *mask,
 				 unsigned int *shift);
 
+void tcpopt_expr_print(const struct expr *expr, struct output_ctx *octx);
+
 enum tcpopt_hdr_types {
 	TCPOPTHDR_INVALID,
 	TCPOPTHDR_EOL,
diff --git a/src/exthdr.c b/src/exthdr.c
index a412025c9a48..73b2c05836e0 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -25,29 +25,15 @@
 static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
 	if (expr->exthdr.op == NFT_EXTHDR_OP_TCPOPT) {
-		/* Offset calcualtion is a bit hacky at this point.
-		 * There might be an tcp option one day with another
-		 * multiplicator
-		 */
-		unsigned int offset = expr->exthdr.offset / 64;
-		char buf[9] = {0};
-
-		if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) {
-			printf("tcp option %s", expr->exthdr.desc->name);
-			return;
-		}
-
-		if (offset)
-			snprintf(buf, sizeof buf, "%d", offset);
-		printf("tcp option %s%s %s", expr->exthdr.desc->name, buf,
-					     expr->exthdr.tmpl->token);
-	} else {
-		if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)
-			printf("exthdr %s", expr->exthdr.desc->name);
-		else {
-			printf("%s %s", expr->exthdr.desc ? expr->exthdr.desc->name : "unknown-exthdr",
-					expr->exthdr.tmpl->token);
-		}
+		tcpopt_expr_print(expr, octx);
+		return;
+	}
+
+	if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)
+		printf("exthdr %s", expr->exthdr.desc->name);
+	else {
+		printf("%s %s", expr->exthdr.desc ? expr->exthdr.desc->name : "unknown-exthdr",
+				expr->exthdr.tmpl->token);
 	}
 }
 
diff --git a/src/tcpopt.c b/src/tcpopt.c
index 7c6c2557028a..a76ad3490f9c 100644
--- a/src/tcpopt.c
+++ b/src/tcpopt.c
@@ -227,6 +227,26 @@ void tcpopt_init_raw(struct expr *expr, uint8_t type, unsigned int offset,
 	}
 }
 
+void tcpopt_expr_print(const struct expr *expr, struct output_ctx *octx)
+{
+	/* Offset calcualtion is a bit hacky at this point.
+	 * There might be an tcp option one day with another
+	 * multiplicator
+	 */
+	unsigned int offset = expr->exthdr.offset / 64;
+	char buf[9] = {0};
+
+	if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) {
+		printf("tcp option %s", expr->exthdr.desc->name);
+		return;
+	}
+
+	if (offset)
+		snprintf(buf, sizeof buf, "%d", offset);
+	printf("tcp option %s%s %s", expr->exthdr.desc->name, buf,
+				     expr->exthdr.tmpl->token);
+}
+
 bool tcpopt_find_template(struct expr *expr, const struct expr *mask,
 			  unsigned int *shift)
 {
-- 
2.13.0

[PATCH nft 4/7] src: add tcp options set support

[Florian Westphal]

This adds support for tcp mss mangling:

nft add rule filter input tcp option maxseg size 1200

Its also possible to change other tcp option fields, but
maxseg is one of the more useful ones to change.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/statement.h       | 11 +++++++++++
 include/tcpopt.h          |  2 ++
 src/evaluate.c            | 15 +++++++++++++++
 src/exthdr.c              | 30 ++++++++++++++++++++++++++++++
 src/netlink_delinearize.c | 21 +++++++++++++++++++--
 src/netlink_linearize.c   | 29 +++++++++++++++++++++++++++++
 src/parser_bison.y        |  5 ++++-
 src/tcpopt.c              |  7 +++++++
 8 files changed, 117 insertions(+), 3 deletions(-)

diff --git a/include/statement.h b/include/statement.h
index 61b5027b97f1..6d8aaa8ba72b 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -24,6 +24,14 @@ struct counter_stmt {
 
 extern struct stmt *counter_stmt_alloc(const struct location *loc);
 
+struct exthdr_stmt {
+	struct expr			*expr;
+	struct expr			*val;
+};
+
+extern struct stmt *exthdr_stmt_alloc(const struct location *loc,
+				      struct expr *payload, struct expr *expr);
+
 struct payload_stmt {
 	struct expr			*expr;
 	struct expr			*val;
@@ -220,6 +228,7 @@ struct xt_stmt {
  * @STMT_QUOTA:		quota statement
  * @STMT_NOTRACK:	notrack statement
  * @STMT_OBJREF:	stateful object reference statement
+ * @STMT_EXTHDR:	extension header statement
  */
 enum stmt_types {
 	STMT_INVALID,
@@ -244,6 +253,7 @@ enum stmt_types {
 	STMT_QUOTA,
 	STMT_NOTRACK,
 	STMT_OBJREF,
+	STMT_EXTHDR,
 };
 
 /**
@@ -285,6 +295,7 @@ struct stmt {
 
 	union {
 		struct expr		*expr;
+		struct exthdr_stmt	exthdr;
 		struct flow_stmt	flow;
 		struct counter_stmt	counter;
 		struct payload_stmt	payload;
diff --git a/include/tcpopt.h b/include/tcpopt.h
index 42e9cf0506e5..7a5a997041ad 100644
--- a/include/tcpopt.h
+++ b/include/tcpopt.h
@@ -3,6 +3,7 @@
 
 #include <proto.h>
 #include <exthdr.h>
+#include <statement.h>
 
 extern struct expr *tcpopt_expr_alloc(const struct location *loc,
 				      uint8_t type, uint8_t field);
@@ -15,6 +16,7 @@ extern bool tcpopt_find_template(struct expr *expr, const struct expr *mask,
 				 unsigned int *shift);
 
 void tcpopt_expr_print(const struct expr *expr, struct output_ctx *octx);
+void tcpopt_stmt_print(const struct stmt *stmt, struct output_ctx *octx);
 
 enum tcpopt_hdr_types {
 	TCPOPTHDR_INVALID,
diff --git a/src/evaluate.c b/src/evaluate.c
index f52a0843a0c0..3989d5e31f56 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1835,6 +1835,19 @@ static bool stmt_evaluate_payload_need_csum(const struct expr *payload)
 	return desc && desc->checksum_key;
 }
 
+static int stmt_evaluate_exthdr(struct eval_ctx *ctx, struct stmt *stmt)
+{
+	struct expr *exthdr;
+
+	if (__expr_evaluate_exthdr(ctx, &stmt->exthdr.expr) < 0)
+		return -1;
+
+	exthdr = stmt->exthdr.expr;
+	return stmt_evaluate_arg(ctx, stmt, exthdr->dtype, exthdr->len,
+				 BYTEORDER_BIG_ENDIAN,
+				 &stmt->exthdr.val);
+}
+
 static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt)
 {
 	struct expr *binop, *mask, *and, *payload_bytes;
@@ -2700,6 +2713,8 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt)
 		return stmt_evaluate_verdict(ctx, stmt);
 	case STMT_PAYLOAD:
 		return stmt_evaluate_payload(ctx, stmt);
+	case STMT_EXTHDR:
+		return stmt_evaluate_exthdr(ctx, stmt);
 	case STMT_FLOW:
 		return stmt_evaluate_flow(ctx, stmt);
 	case STMT_META:
diff --git a/src/exthdr.c b/src/exthdr.c
index 73b2c05836e0..7d13c83c9943 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -21,6 +21,7 @@
 #include <utils.h>
 #include <headers.h>
 #include <expression.h>
+#include <statement.h>
 
 static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
@@ -84,6 +85,35 @@ struct expr *exthdr_expr_alloc(const struct location *loc,
 	return expr;
 }
 
+static void exthdr_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
+{
+	if (stmt->exthdr.expr->exthdr.op == NFT_EXTHDR_OP_TCPOPT) {
+		tcpopt_stmt_print(stmt, octx);
+		return;
+	}
+
+	expr_print(stmt->exthdr.expr, octx);
+	printf(" set ");
+	expr_print(stmt->exthdr.val, octx);
+}
+
+static const struct stmt_ops exthdr_stmt_ops = {
+	.type		= STMT_EXTHDR,
+	.name		= "exthdr",
+	.print		= exthdr_stmt_print,
+};
+
+struct stmt *exthdr_stmt_alloc(const struct location *loc,
+				struct expr *expr, struct expr *val)
+{
+	struct stmt *stmt;
+
+	stmt = stmt_alloc(loc, &exthdr_stmt_ops);
+	stmt->exthdr.expr = expr;
+	stmt->exthdr.val  = val;
+	return stmt;
+}
+
 static const struct exthdr_desc *exthdr_protocols[IPPROTO_MAX] = {
 	[IPPROTO_HOPOPTS]	= &exthdr_hbh,
 	[IPPROTO_ROUTING]	= &exthdr_rt,
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 5317a830ac6d..51a61472a0f1 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -513,8 +513,25 @@ static void netlink_parse_exthdr(struct netlink_parse_ctx *ctx,
 	expr = exthdr_expr_alloc(loc, NULL, 0);
 	exthdr_init_raw(expr, type, offset, len, op, flags);
 
-	dreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_DREG);
-	netlink_set_register(ctx, dreg, expr);
+	if (nftnl_expr_is_set(nle, NFTNL_EXPR_EXTHDR_DREG)) {
+		dreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_DREG);
+		netlink_set_register(ctx, dreg, expr);
+	} else if (nftnl_expr_is_set(nle, NFTNL_EXPR_EXTHDR_SREG)) {
+		enum nft_registers sreg;
+		struct stmt *stmt;
+		struct expr *val;
+
+		sreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_SREG);
+		val = netlink_get_register(ctx, loc, sreg);
+		if (val == NULL)
+			return netlink_error(ctx, loc,
+					     "exthdr statement has no expression");
+
+		expr_set_type(val, expr->dtype, expr->byteorder);
+
+		stmt = exthdr_stmt_alloc(loc, expr, val);
+		list_add_tail(&stmt->list, &ctx->rule->stmts);
+	}
 }
 
 static void netlink_parse_hash(struct netlink_parse_ctx *ctx,
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 3d684569cabf..c5a47dec7d10 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -816,6 +816,33 @@ static bool payload_needs_l4csum_update_pseudohdr(const struct expr *expr,
 	return false;
 }
 
+static void netlink_gen_exthdr_stmt(struct netlink_linearize_ctx *ctx,
+				    const struct stmt *stmt)
+{
+	struct nftnl_expr *nle;
+	const struct expr *expr;
+	enum nft_registers sreg;
+	unsigned int offset;
+
+	sreg = get_register(ctx, stmt->exthdr.val);
+	netlink_gen_expr(ctx, stmt->exthdr.val, sreg);
+	release_register(ctx, stmt->exthdr.val);
+
+	expr = stmt->exthdr.expr;
+
+	offset = expr->exthdr.tmpl->offset + expr->exthdr.offset;
+
+	nle = alloc_nft_expr("exthdr");
+	netlink_put_register(nle, NFTNL_EXPR_EXTHDR_SREG, sreg);
+	nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_TYPE,
+			  expr->exthdr.desc->type);
+	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE);
+	nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN,
+			   div_round_up(expr->len, BITS_PER_BYTE));
+	nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
+	nftnl_rule_add_expr(ctx->nlr, nle);
+}
+
 static void netlink_gen_payload_stmt(struct netlink_linearize_ctx *ctx,
 				     const struct stmt *stmt)
 {
@@ -1239,6 +1266,8 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
 		return netlink_gen_verdict_stmt(ctx, stmt);
 	case STMT_FLOW:
 		return netlink_gen_flow_stmt(ctx, stmt);
+	case STMT_EXTHDR:
+		return netlink_gen_exthdr_stmt(ctx, stmt);
 	case STMT_PAYLOAD:
 		return netlink_gen_payload_stmt(ctx, stmt);
 	case STMT_META:
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 783b72f5a343..7898ea3fe7bc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3209,7 +3209,10 @@ ct_stmt			:	CT	ct_key		SET	expr
 
 payload_stmt		:	payload_expr		SET	expr
 			{
-				$$ = payload_stmt_alloc(&@$, $1, $3);
+				if ($1->ops->type == EXPR_EXTHDR)
+					$$ = exthdr_stmt_alloc(&@$, $1, $3);
+				else
+					$$ = payload_stmt_alloc(&@$, $1, $3);
 			}
 			;
 
diff --git a/src/tcpopt.c b/src/tcpopt.c
index a76ad3490f9c..63f0c236c9cf 100644
--- a/src/tcpopt.c
+++ b/src/tcpopt.c
@@ -247,6 +247,13 @@ void tcpopt_expr_print(const struct expr *expr, struct output_ctx *octx)
 				     expr->exthdr.tmpl->token);
 }
 
+void tcpopt_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
+{
+	tcpopt_expr_print(stmt->exthdr.expr, octx);
+	printf(" set ");
+	expr_print(stmt->exthdr.val, octx);
+}
+
 bool tcpopt_find_template(struct expr *expr, const struct expr *mask,
 			  unsigned int *shift)
 {
-- 
2.13.0

[PATCH nft 5/7] src: implement shortcut for tcp mss size mangling

[Florian Westphal]

short-hand version of tcp option maxseg size 1:
tcp option mss set 1

Reverse also prints the more compact representation.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/exthdr.c       |  1 +
 src/parser_bison.y |  7 +++++++
 src/scanner.l      |  1 +
 src/tcpopt.c       | 11 +++++++++--
 4 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/exthdr.c b/src/exthdr.c
index 7d13c83c9943..a4d4fa5b0864 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -20,6 +20,7 @@
 
 #include <utils.h>
 #include <headers.h>
+#include <tcpopt.h>
 #include <expression.h>
 #include <statement.h>
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 7898ea3fe7bc..533347264729 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -334,6 +334,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token RIGHT			"right"
 %token TSVAL			"tsval"
 %token TSECR			"tsecr"
+%token MSS			"mss"
 
 %token DCCP			"dccp"
 
@@ -3214,6 +3215,12 @@ payload_stmt		:	payload_expr		SET	expr
 				else
 					$$ = payload_stmt_alloc(&@$, $1, $3);
 			}
+			|	TCP	OPTION	MSS	SET	expr
+			{
+				$$ = exthdr_stmt_alloc(&@$,
+							tcpopt_expr_alloc(&@$, TCPOPTHDR_MAXSEG, TCPOPTHDR_FIELD_SIZE),
+							$5);
+			}
 			;
 
 payload_expr		:	payload_raw_expr
diff --git a/src/scanner.l b/src/scanner.l
index b6ba32d88f4a..ede6ed73e5df 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -433,6 +433,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "window"		{ return WINDOW; }
 "urgptr"		{ return URGPTR; }
 "option"		{ return OPTION; }
+"mss"			{ return MSS; }
 
 "dccp"			{ return DCCP; }
 
diff --git a/src/tcpopt.c b/src/tcpopt.c
index 63f0c236c9cf..c0540b7a31b2 100644
--- a/src/tcpopt.c
+++ b/src/tcpopt.c
@@ -249,8 +249,15 @@ void tcpopt_expr_print(const struct expr *expr, struct output_ctx *octx)
 
 void tcpopt_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	tcpopt_expr_print(stmt->exthdr.expr, octx);
-	printf(" set ");
+	if (stmt->exthdr.expr->exthdr.desc->type == TCPOPT_MAXSEG &&
+	    stmt->exthdr.expr->exthdr.tmpl ==
+	    &stmt->exthdr.expr->exthdr.desc->templates[TCPOPTHDR_FIELD_SIZE]) {
+		printf("tcp option mss set ");
+	} else {
+		tcpopt_expr_print(stmt->exthdr.expr, octx);
+		printf(" set ");
+	}
+
 	expr_print(stmt->exthdr.val, octx);
 }
 
-- 
2.13.0

[PATCH nft 6/7] rt: add path mss support

[Florian Westphal]

Only use case is to allow similar behaviour to iptables
TCPMSS --clamp-mss-to-pmtu, by combining this via tcp exthdr:

tcp option mss set rt mss

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter/nf_tables.h | 1 +
 src/parser_bison.y                  | 1 +
 src/rt.c                            | 5 +++++
 3 files changed, 7 insertions(+)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 40096de04e96..5441b190852f 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -813,6 +813,7 @@ enum nft_rt_keys {
 	NFT_RT_CLASSID,
 	NFT_RT_NEXTHOP4,
 	NFT_RT_NEXTHOP6,
+	NFT_RT_TCPMSS,
 };
 
 /**
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 533347264729..cfac6ba251fb 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3095,6 +3095,7 @@ rt_expr			:	RT	rt_key
 
 rt_key			:	CLASSID		{ $$ = NFT_RT_CLASSID; }
 			|	NEXTHOP		{ $$ = NFT_RT_NEXTHOP4; }
+			|	MSS		{ $$ = NFT_RT_TCPMSS; }
 			;
 
 ct_expr			: 	CT	ct_key
diff --git a/src/rt.c b/src/rt.c
index cd2d5a4ed7b9..073d8c927153 100644
--- a/src/rt.c
+++ b/src/rt.c
@@ -73,6 +73,11 @@ static const struct rt_template rt_templates[] = {
 					      16 * BITS_PER_BYTE,
 					      BYTEORDER_BIG_ENDIAN,
 					      true),
+	[NFT_RT_TCPMSS]		= RT_TEMPLATE("mss",
+					      &integer_type,
+					      2 * BITS_PER_BYTE,
+					      BYTEORDER_HOST_ENDIAN,
+					      false),
 };
 
 static void rt_expr_print(const struct expr *expr, struct output_ctx *octx)
-- 
2.13.0

[PATCH nft 7/7] tests: add tcp option set support / tcp mss mangling test cases

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/py/inet/rt.t             |  4 +++-
 tests/py/inet/rt.t.payload     |  5 +++++
 tests/py/inet/tcpopt.t         |  3 +++
 tests/py/inet/tcpopt.t.payload | 15 +++++++++++++++
 4 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/tests/py/inet/rt.t b/tests/py/inet/rt.t
index f2dcbdc41da9..64c36579d8f4 100644
--- a/tests/py/inet/rt.t
+++ b/tests/py/inet/rt.t
@@ -1,4 +1,4 @@
-:output;type filter hook input priority 0
+:output;type filter hook output priority 0
 
 *inet;test-inet;output
 
@@ -6,3 +6,5 @@ rt nexthop 192.168.0.1;fail
 rt nexthop fd00::1;fail
 meta nfproto ipv4 rt nexthop 192.168.0.1;ok
 meta nfproto ipv6 rt nexthop fd00::1;ok
+
+tcp option mss set rt mss;ok
diff --git a/tests/py/inet/rt.t.payload b/tests/py/inet/rt.t.payload
index d94973e03ffa..54429492e278 100644
--- a/tests/py/inet/rt.t.payload
+++ b/tests/py/inet/rt.t.payload
@@ -12,3 +12,8 @@ inet test-inet output
   [ rt load nexthop6 => reg 1 ]
   [ cmp eq reg 1 0x000000fd 0x00000000 0x00000000 0x01000000 ]
 
+# tcp option mss set rt mss
+inet test-inet output
+  [ rt load tcpmss => reg 1 ]
+  [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ]
+
diff --git a/tests/py/inet/tcpopt.t b/tests/py/inet/tcpopt.t
index a42ecd250a9c..94ad3fc4c645 100644
--- a/tests/py/inet/tcpopt.t
+++ b/tests/py/inet/tcpopt.t
@@ -38,3 +38,6 @@ tcp option sack window 1;fail
 
 tcp option window exists;ok
 tcp option window missing;ok
+
+tcp option maxseg size set 1360;ok;tcp option mss set 1360
+tcp option mss set 1360;ok
diff --git a/tests/py/inet/tcpopt.t.payload b/tests/py/inet/tcpopt.t.payload
index 10cf0c00f402..29a955b74ad1 100644
--- a/tests/py/inet/tcpopt.t.payload
+++ b/tests/py/inet/tcpopt.t.payload
@@ -193,3 +193,18 @@ inet test-inet input
   [ cmp eq reg 1 0x00000006 ]
   [ exthdr load tcpopt 1b @ 3 + 0 present => reg 1 ]
   [ cmp eq reg 1 0x00000000 ]
+
+# tcp option maxseg size set 1360
+inet test-inet input
+  [ immediate reg 1 0x00005005 ]
+  [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ]
+
+# tcp option maxseg size set 1360
+inet test-inet input
+  [ immediate reg 1 0x00005005 ]
+  [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ]
+
+# tcp option mss set 1360
+inet test-inet input
+  [ immediate reg 1 0x00005005 ]
+  [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ]
-- 
2.13.0

Re: [PATCH libnftnl 1/7] exthdr: tcp option set support

[Pablo Neira Ayuso]

On Sun, Aug 20, 2017 at 01:14:07AM +0200, Florian Westphal wrote:
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [PATCH libnftnl 2/7] rt: tcpmss get support

[Pablo Neira Ayuso]

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [PATCH nft 4/7] src: add tcp options set support

[Pablo Neira Ayuso]

On Sun, Aug 20, 2017 at 01:14:10AM +0200, Florian Westphal wrote:
> This adds support for tcp mss mangling:
> 
> nft add rule filter input tcp option maxseg size 1200
> 
> Its also possible to change other tcp option fields, but
> maxseg is one of the more useful ones to change.
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [PATCH nft 5/7] src: implement shortcut for tcp mss size mangling

[Pablo Neira Ayuso]

On Sun, Aug 20, 2017 at 01:14:11AM +0200, Florian Westphal wrote:
> short-hand version of tcp option maxseg size 1:
> tcp option mss set 1
> 
> Reverse also prints the more compact representation.

Why not just keep with the shortcut (more compact) representation?

> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  src/exthdr.c       |  1 +
>  src/parser_bison.y |  7 +++++++
>  src/scanner.l      |  1 +
>  src/tcpopt.c       | 11 +++++++++--
>  4 files changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/src/exthdr.c b/src/exthdr.c
> index 7d13c83c9943..a4d4fa5b0864 100644
> --- a/src/exthdr.c
> +++ b/src/exthdr.c
> @@ -20,6 +20,7 @@
>  
>  #include <utils.h>
>  #include <headers.h>
> +#include <tcpopt.h>
>  #include <expression.h>
>  #include <statement.h>
>  
> diff --git a/src/parser_bison.y b/src/parser_bison.y
> index 7898ea3fe7bc..533347264729 100644
> --- a/src/parser_bison.y
> +++ b/src/parser_bison.y
> @@ -334,6 +334,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
>  %token RIGHT			"right"
>  %token TSVAL			"tsval"
>  %token TSECR			"tsecr"
> +%token MSS			"mss"
>  
>  %token DCCP			"dccp"
>  
> @@ -3214,6 +3215,12 @@ payload_stmt		:	payload_expr		SET	expr
>  				else
>  					$$ = payload_stmt_alloc(&@$, $1, $3);
>  			}
> +			|	TCP	OPTION	MSS	SET	expr
> +			{
> +				$$ = exthdr_stmt_alloc(&@$,
> +							tcpopt_expr_alloc(&@$, TCPOPTHDR_MAXSEG, TCPOPTHDR_FIELD_SIZE),
> +							$5);
> +			}
>  			;
>  
>  payload_expr		:	payload_raw_expr
> diff --git a/src/scanner.l b/src/scanner.l
> index b6ba32d88f4a..ede6ed73e5df 100644
> --- a/src/scanner.l
> +++ b/src/scanner.l
> @@ -433,6 +433,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
>  "window"		{ return WINDOW; }
>  "urgptr"		{ return URGPTR; }
>  "option"		{ return OPTION; }
> +"mss"			{ return MSS; }
>  
>  "dccp"			{ return DCCP; }
>  
> diff --git a/src/tcpopt.c b/src/tcpopt.c
> index 63f0c236c9cf..c0540b7a31b2 100644
> --- a/src/tcpopt.c
> +++ b/src/tcpopt.c
> @@ -249,8 +249,15 @@ void tcpopt_expr_print(const struct expr *expr, struct output_ctx *octx)
>  
>  void tcpopt_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
>  {
> -	tcpopt_expr_print(stmt->exthdr.expr, octx);
> -	printf(" set ");
> +	if (stmt->exthdr.expr->exthdr.desc->type == TCPOPT_MAXSEG &&
> +	    stmt->exthdr.expr->exthdr.tmpl ==
> +	    &stmt->exthdr.expr->exthdr.desc->templates[TCPOPTHDR_FIELD_SIZE]) {
> +		printf("tcp option mss set ");
> +	} else {
> +		tcpopt_expr_print(stmt->exthdr.expr, octx);
> +		printf(" set ");
> +	}
> +
>  	expr_print(stmt->exthdr.val, octx);
>  }
>  
> -- 
> 2.13.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft 6/7] rt: add path mss support

[Pablo Neira Ayuso]

On Sun, Aug 20, 2017 at 01:14:12AM +0200, Florian Westphal wrote:
> Only use case is to allow similar behaviour to iptables
> TCPMSS --clamp-mss-to-pmtu, by combining this via tcp exthdr:
> 
> tcp option mss set rt mss
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [PATCH nft 7/7] tests: add tcp option set support / tcp mss mangling test cases

[Pablo Neira Ayuso]

Thanks for adding tests.

On Sun, Aug 20, 2017 at 01:14:13AM +0200, Florian Westphal wrote:
> diff --git a/tests/py/inet/tcpopt.t b/tests/py/inet/tcpopt.t
> index a42ecd250a9c..94ad3fc4c645 100644
> --- a/tests/py/inet/tcpopt.t
> +++ b/tests/py/inet/tcpopt.t
> @@ -38,3 +38,6 @@ tcp option sack window 1;fail
>  
>  tcp option window exists;ok
>  tcp option window missing;ok
> +
> +tcp option maxseg size set 1360;ok;tcp option mss set 1360

This is a follow up, related to 5/7.

Why do we need this assymetry at all?

Re: [PATCH nft 5/7] src: implement shortcut for tcp mss size mangling

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Sun, Aug 20, 2017 at 01:14:11AM +0200, Florian Westphal wrote:
> > short-hand version of tcp option maxseg size 1:
> > tcp option mss set 1
> > 
> > Reverse also prints the more compact representation.
> 
> Why not just keep with the shortcut (more compact) representation?

I am not following, what do you suggest?

Re: [PATCH nft 7/7] tests: add tcp option set support / tcp mss mangling test cases

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Thanks for adding tests.
> 
> On Sun, Aug 20, 2017 at 01:14:13AM +0200, Florian Westphal wrote:
> > diff --git a/tests/py/inet/tcpopt.t b/tests/py/inet/tcpopt.t
> > index a42ecd250a9c..94ad3fc4c645 100644
> > --- a/tests/py/inet/tcpopt.t
> > +++ b/tests/py/inet/tcpopt.t
> > @@ -38,3 +38,6 @@ tcp option sack window 1;fail
> >  
> >  tcp option window exists;ok
> >  tcp option window missing;ok
> > +
> > +tcp option maxseg size set 1360;ok;tcp option mss set 1360
> 
> This is a follow up, related to 5/7.
> 
> Why do we need this assymetry at all?

it is same 'meta iif ethx' vs 'iif ethx'

I can drop the 'tcp option <option type> <field>' syntax
which means we need to add extra grammar for all 'tcp option set'
type/field combinations that we want to support.

Or we can drop the compact representation, but i find
'tcp option maxseg size' to be uglier than 'tcp option mss'.