* [PATCH nft v2] src: add synproxy stateful object support
@ 2019-09-07 18:30 Fernando Fernandez Mancera
2019-09-07 18:55 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Fernando Fernandez Mancera @ 2019-09-07 18:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: Fernando Fernandez Mancera
Add support for "synproxy" stateful object. For example (for TCP port 80 and
using maps with saddr):
table ip foo {
synproxy https-synproxy {
synproxy mss 1460 wscale 7 timestamp sack-perm
}
synproxy other-synproxy {
synproxy mss 1460 wscale 5
}
chain bar {
tcp dport 80 synproxy name "https-synproxy"
synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
---
v1: initial patch
v2: fix a little typo
---
include/linux/netfilter/nf_tables.h | 3 +-
include/rule.h | 11 +++
src/evaluate.c | 5 ++
src/json.c | 20 +++++-
src/mnl.c | 8 +++
src/netlink.c | 8 +++
src/parser_bison.y | 107 +++++++++++++++++++++++++++-
src/parser_json.c | 22 +++++-
src/rule.c | 52 ++++++++++++++
src/scanner.l | 1 +
src/statement.c | 1 +
11 files changed, 232 insertions(+), 6 deletions(-)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 0ff932d..ed8881a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1481,7 +1481,8 @@ enum nft_ct_expectation_attributes {
#define NFT_OBJECT_CT_TIMEOUT 7
#define NFT_OBJECT_SECMARK 8
#define NFT_OBJECT_CT_EXPECT 9
-#define __NFT_OBJECT_MAX 10
+#define NFT_OBJECT_SYNPROXY 10
+#define __NFT_OBJECT_MAX 11
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
/**
diff --git a/include/rule.h b/include/rule.h
index 0ef6aac..2708cbe 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -399,6 +399,12 @@ struct limit {
uint32_t flags;
};
+struct synproxy {
+ uint16_t mss;
+ uint8_t wscale;
+ uint32_t flags;
+};
+
struct secmark {
char ctx[NFT_SECMARK_CTX_MAXLEN];
};
@@ -426,6 +432,7 @@ struct obj {
struct ct_timeout ct_timeout;
struct secmark secmark;
struct ct_expect ct_expect;
+ struct synproxy synproxy;
};
};
@@ -529,6 +536,8 @@ enum cmd_ops {
* @CMD_OBJ_FLOWTABLES: flow tables
* @CMD_OBJ_SECMARK: secmark
* @CMD_OBJ_SECMARKS: multiple secmarks
+ * @CMD_OBJ_SYNPROXY: synproxy
+ * @CMD_OBJ_SYNPROXYS: multiple synproxys
*/
enum cmd_obj {
CMD_OBJ_INVALID,
@@ -561,6 +570,8 @@ enum cmd_obj {
CMD_OBJ_SECMARK,
CMD_OBJ_SECMARKS,
CMD_OBJ_CT_EXPECT,
+ CMD_OBJ_SYNPROXY,
+ CMD_OBJ_SYNPROXYS,
};
struct markup {
diff --git a/src/evaluate.c b/src/evaluate.c
index 29fe966..a56cd2a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3743,6 +3743,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_CT_TIMEOUT:
case CMD_OBJ_SECMARK:
case CMD_OBJ_CT_EXPECT:
+ case CMD_OBJ_SYNPROXY:
return obj_evaluate(ctx, cmd->object);
default:
BUG("invalid command object type %u\n", cmd->obj);
@@ -3766,6 +3767,7 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_LIMIT:
case CMD_OBJ_SECMARK:
case CMD_OBJ_CT_EXPECT:
+ case CMD_OBJ_SYNPROXY:
return 0;
default:
BUG("invalid command object type %u\n", cmd->obj);
@@ -3911,6 +3913,8 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_SECMARK);
case CMD_OBJ_CT_EXPECT:
return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_CT_EXPECT);
+ case CMD_OBJ_SYNPROXY:
+ return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_SYNPROXY);
case CMD_OBJ_COUNTERS:
case CMD_OBJ_QUOTAS:
case CMD_OBJ_CT_HELPERS:
@@ -3918,6 +3922,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_SETS:
case CMD_OBJ_FLOWTABLES:
case CMD_OBJ_SECMARKS:
+ case CMD_OBJ_SYNPROXYS:
if (cmd->handle.table.name == NULL)
return 0;
if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
diff --git a/src/json.c b/src/json.c
index 55ce053..6adc801 100644
--- a/src/json.c
+++ b/src/json.c
@@ -282,8 +282,8 @@ static json_t *obj_print_json(const struct obj *obj)
{
const char *rate_unit = NULL, *burst_unit = NULL;
const char *type = obj_type_name(obj->type);
+ json_t *root, *tmp, *flags;
uint64_t rate, burst;
- json_t *root, *tmp;
root = json_pack("{s:s, s:s, s:s, s:I}",
"family", family2str(obj->handle.family),
@@ -368,6 +368,24 @@ static json_t *obj_print_json(const struct obj *obj)
json_string(burst_unit));
}
+ json_object_update(root, tmp);
+ json_decref(tmp);
+ break;
+ case NFT_OBJECT_SYNPROXY:
+ flags = json_array();
+ tmp = json_pack("{s:i, s:i}",
+ "mss", obj->synproxy.mss,
+ "wscale", obj->synproxy.wscale);
+ if (obj->synproxy.flags & NF_SYNPROXY_OPT_TIMESTAMP)
+ json_array_append_new(flags, json_string("timestamp"));
+ if (obj->synproxy.flags & NF_SYNPROXY_OPT_SACK_PERM)
+ json_array_append_new(flags, json_string("sack-perm"));
+
+ if (json_array_size(flags) > 0)
+ json_object_set_new(tmp, "flags", flags);
+ else
+ json_decref(flags);
+
json_object_update(root, tmp);
json_decref(tmp);
break;
diff --git a/src/mnl.c b/src/mnl.c
index 9c1f535..cbd0de4 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1034,6 +1034,14 @@ int mnl_nft_obj_add(struct netlink_ctx *ctx, const struct cmd *cmd,
nftnl_obj_set_str(nlo, NFTNL_OBJ_SECMARK_CTX,
obj->secmark.ctx);
break;
+ case NFT_OBJECT_SYNPROXY:
+ nftnl_obj_set_u16(nlo, NFTNL_OBJ_SYNPROXY_MSS,
+ obj->synproxy.mss);
+ nftnl_obj_set_u8(nlo, NFTNL_OBJ_SYNPROXY_WSCALE,
+ obj->synproxy.wscale);
+ nftnl_obj_set_u32(nlo, NFTNL_OBJ_SYNPROXY_FLAGS,
+ obj->synproxy.flags);
+ break;
default:
BUG("Unknown type %d\n", obj->type);
break;
diff --git a/src/netlink.c b/src/netlink.c
index f8e1120..1e669e5 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1030,6 +1030,14 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
obj->ct_expect.size =
nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_EXPECT_SIZE);
break;
+ case NFT_OBJECT_SYNPROXY:
+ obj->synproxy.mss =
+ nftnl_obj_get_u16(nlo, NFTNL_OBJ_SYNPROXY_MSS);
+ obj->synproxy.wscale =
+ nftnl_obj_get_u8(nlo, NFTNL_OBJ_SYNPROXY_WSCALE);
+ obj->synproxy.flags =
+ nftnl_obj_get_u32(nlo, NFTNL_OBJ_SYNPROXY_FLAGS);
+ break;
}
obj->type = type;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index b7db1a2..111b61b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -151,6 +151,7 @@ int nft_lex(void *, void *, void *);
struct counter *counter;
struct quota *quota;
struct secmark *secmark;
+ struct synproxy *synproxy;
struct ct *ct;
struct limit *limit;
const struct datatype *datatype;
@@ -461,6 +462,7 @@ int nft_lex(void *, void *, void *);
%token COUNTERS "counters"
%token QUOTAS "quotas"
%token LIMITS "limits"
+%token SYNPROXYS "synproxys"
%token HELPERS "helpers"
%token LOG "log"
@@ -592,7 +594,7 @@ int nft_lex(void *, void *, void *);
%type <flowtable> flowtable_block_alloc flowtable_block
%destructor { flowtable_free($$); } flowtable_block_alloc
-%type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block ct_expect_block limit_block secmark_block
+%type <obj> obj_block_alloc counter_block quota_block ct_helper_block ct_timeout_block ct_expect_block limit_block secmark_block synproxy_block
%destructor { obj_free($$); } obj_block_alloc
%type <list> stmt_list
@@ -700,8 +702,8 @@ int nft_lex(void *, void *, void *);
%type <expr> and_rhs_expr exclusive_or_rhs_expr inclusive_or_rhs_expr
%destructor { expr_free($$); } and_rhs_expr exclusive_or_rhs_expr inclusive_or_rhs_expr
-%type <obj> counter_obj quota_obj ct_obj_alloc limit_obj secmark_obj
-%destructor { obj_free($$); } counter_obj quota_obj ct_obj_alloc limit_obj secmark_obj
+%type <obj> counter_obj quota_obj ct_obj_alloc limit_obj secmark_obj synproxy_obj
+%destructor { obj_free($$); } counter_obj quota_obj ct_obj_alloc limit_obj secmark_obj synproxy_obj
%type <expr> relational_expr
%destructor { expr_free($$); } relational_expr
@@ -787,6 +789,9 @@ int nft_lex(void *, void *, void *);
%destructor { xfree($$); } limit_config
%type <secmark> secmark_config
%destructor { xfree($$); } secmark_config
+%type <synproxy> synproxy_config
+%destructor { xfree($$); } synproxy_config
+%type <val> synproxy_ts synproxy_sack
%type <expr> tcp_hdr_expr
%destructor { expr_free($$); } tcp_hdr_expr
@@ -1012,6 +1017,10 @@ add_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
+ | SYNPROXY obj_spec synproxy_obj
+ {
+ $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SYNPROXY, &$2, &@$, $3);
+ }
;
replace_cmd : RULE ruleid_spec rule
@@ -1105,6 +1114,10 @@ create_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SECMARK, &$2, &@$, $3);
}
+ | SYNPROXY obj_spec synproxy_obj
+ {
+ $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SYNPROXY, &$2, &@$, $3);
+ }
;
insert_cmd : RULE rule_position rule
@@ -1189,6 +1202,14 @@ delete_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SECMARK, &$2, &@$, NULL);
}
+ | SYNPROXY obj_spec
+ {
+ $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SYNPROXY, &$2, &@$, NULL);
+ }
+ | SYNPROXY objid_spec
+ {
+ $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SYNPROXY, &$2, &@$, NULL);
+ }
;
get_cmd : ELEMENT set_spec set_block_expr
@@ -1273,6 +1294,18 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SECMARK, &$2, &@$, NULL);
}
+ | SYNPROXYS ruleset_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SYNPROXYS, &$2, &@$, NULL);
+ }
+ | SYNPROXYS TABLE table_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SYNPROXYS, &$3, &@$, NULL);
+ }
+ | SYNPROXY obj_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_SYNPROXY, &$2, &@$, NULL);
+ }
| RULESET ruleset_spec
{
$$ = cmd_alloc(CMD_LIST, CMD_OBJ_RULESET, &$2, &@$, NULL);
@@ -1592,6 +1625,17 @@ table_block : /* empty */ { $$ = $<table>-1; }
list_add_tail(&$4->list, &$1->objs);
$$ = $1;
}
+ | table_block SYNPROXY obj_identifier
+ obj_block_alloc '{' synproxy_block '}'
+ stmt_separator
+ {
+ $4->location = @3;
+ $4->type = NFT_OBJECT_SYNPROXY;
+ handle_merge(&$4->handle, &$3);
+ handle_free(&$3);
+ list_add_tail(&$4->list, &$1->objs);
+ $$ = $1;
+ }
;
chain_block_alloc : /* empty */
@@ -1928,6 +1972,16 @@ secmark_block : /* empty */ { $$ = $<obj>-1; }
}
;
+synproxy_block : /* empty */ { $$ = $<obj>-1; }
+ | synproxy_block common_block
+ | synproxy_block stmt_separator
+ | synproxy_block synproxy_config
+ {
+ $1->synproxy = *$2;
+ $$ = $1;
+ }
+ ;
+
type_identifier : STRING { $$ = $1; }
| MARK { $$ = xstrdup("mark"); }
| DSCP { $$ = xstrdup("dscp"); }
@@ -2788,6 +2842,12 @@ synproxy_stmt_alloc : SYNPROXY
{
$$ = synproxy_stmt_alloc(&@$);
}
+ | SYNPROXY NAME stmt_expr
+ {
+ $$ = objref_stmt_alloc(&@$);
+ $$->objref.type = NFT_OBJECT_SYNPROXY;
+ $$->objref.expr = $3;
+ }
;
synproxy_args : synproxy_arg
@@ -2817,6 +2877,47 @@ synproxy_arg : MSS NUM
}
;
+synproxy_config : MSS NUM WSCALE NUM synproxy_ts synproxy_sack
+ {
+ struct synproxy *synproxy;
+ uint32_t flags = 0;
+
+ synproxy = xzalloc(sizeof(*synproxy));
+ synproxy->mss = $2;
+ flags |= NF_SYNPROXY_OPT_MSS;
+ synproxy->wscale = $4;
+ flags |= NF_SYNPROXY_OPT_WSCALE;
+ if ($5)
+ flags |= $5;
+ if ($6)
+ flags |= $6;
+ synproxy->flags = flags;
+ $$ = synproxy;
+ }
+ ;
+
+synproxy_obj : synproxy_config
+ {
+ $$ = obj_alloc(&@$);
+ $$->type = NFT_OBJECT_SYNPROXY;
+ $$->synproxy = *$1;
+ }
+ ;
+
+synproxy_ts : /* empty */ { $$ = 0; }
+ | TIMESTAMP
+ {
+ $$ = NF_SYNPROXY_OPT_TIMESTAMP;
+ }
+ ;
+
+synproxy_sack : /* empty */ { $$ = 0; }
+ | SACKPERM
+ {
+ $$ = NF_SYNPROXY_OPT_SACK_PERM;
+ }
+ ;
+
primary_stmt_expr : symbol_expr { $$ = $1; }
| integer_expr { $$ = $1; }
| boolean_expr { $$ = $1; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8ca07d7..8fd46d2 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3019,8 +3019,9 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx,
const char *family, *tmp, *rate_unit = "packets", *burst_unit = "bytes";
uint32_t l3proto = NFPROTO_UNSPEC;
struct handle h = { 0 };
+ int inv = 0, flags = 0;
struct obj *obj;
- int inv = 0;
+ json_t *jflags;
if (json_unpack_err(ctx, root, "{s:s, s:s}",
"family", &family,
@@ -3196,6 +3197,25 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx,
obj->limit.unit = seconds_from_unit(tmp);
obj->limit.flags = inv ? NFT_LIMIT_F_INV : 0;
break;
+ case CMD_OBJ_SYNPROXY:
+ obj->type = NFT_OBJECT_SYNPROXY;
+ if (json_unpack_err(ctx, root, "{s:i, s:i}",
+ "mss", &obj->synproxy.mss,
+ "wscale", &obj->synproxy.wscale)) {
+ obj_free(obj);
+ return NULL;
+ }
+ obj->synproxy.flags |= NF_SYNPROXY_OPT_MSS;
+ obj->synproxy.flags |= NF_SYNPROXY_OPT_WSCALE;
+ if (!json_unpack(root, "{s:o}", "flags", &jflags)) {
+ flags = json_parse_synproxy_flags(ctx, jflags);
+ if (flags < 0) {
+ obj_free(obj);
+ return NULL;
+ }
+ obj->synproxy.flags |= flags;
+ }
+ break;
default:
BUG("Invalid CMD '%d'", cmd_obj);
}
diff --git a/src/rule.c b/src/rule.c
index 1912513..98d154f 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -32,6 +32,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter_arp.h>
#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/nf_synproxy.h>
#include <net/if.h>
#include <linux/netfilter_bridge.h>
@@ -1451,6 +1452,7 @@ void cmd_free(struct cmd *cmd)
case CMD_OBJ_CT_EXPECT:
case CMD_OBJ_LIMIT:
case CMD_OBJ_SECMARK:
+ case CMD_OBJ_SYNPROXY:
obj_free(cmd->object);
break;
case CMD_OBJ_FLOWTABLE:
@@ -1542,6 +1544,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
case CMD_OBJ_CT_EXPECT:
case CMD_OBJ_LIMIT:
case CMD_OBJ_SECMARK:
+ case CMD_OBJ_SYNPROXY:
return mnl_nft_obj_add(ctx, cmd, flags);
case CMD_OBJ_FLOWTABLE:
return mnl_nft_flowtable_add(ctx, cmd, flags);
@@ -1627,6 +1630,8 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd)
return mnl_nft_obj_del(ctx, cmd, NFT_OBJECT_LIMIT);
case CMD_OBJ_SECMARK:
return mnl_nft_obj_del(ctx, cmd, NFT_OBJECT_SECMARK);
+ case CMD_OBJ_SYNPROXY:
+ return mnl_nft_obj_del(ctx, cmd, NFT_OBJECT_SYNPROXY);
case CMD_OBJ_FLOWTABLE:
return mnl_nft_flowtable_del(ctx, cmd);
default:
@@ -1778,6 +1783,22 @@ static void print_proto_timeout_policy(uint8_t l4, const uint32_t *timeout,
nft_print(octx, " }%s", opts->stmt_separator);
}
+static const char *synproxy_sack_to_str(const uint32_t flags)
+{
+ if (flags & NF_SYNPROXY_OPT_SACK_PERM)
+ return " sack-perm";
+
+ return "";
+}
+
+static const char *synproxy_timestamp_to_str(const uint32_t flags)
+{
+ if (flags & NF_SYNPROXY_OPT_TIMESTAMP)
+ return " timestamp";
+
+ return "";
+}
+
static void obj_print_data(const struct obj *obj,
struct print_fmt_options *opts,
struct output_ctx *octx)
@@ -1911,6 +1932,33 @@ static void obj_print_data(const struct obj *obj,
nft_print(octx, "%s", opts->nl);
}
break;
+ case NFT_OBJECT_SYNPROXY: {
+ uint32_t flags = obj->synproxy.flags;
+ const char *sack_str = synproxy_sack_to_str(flags);
+ const char *ts_str = synproxy_timestamp_to_str(flags);
+
+ nft_print(octx, " %s {", obj->handle.obj.name);
+ if (nft_output_handle(octx))
+ nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
+ nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab);
+
+ if (flags & (NF_SYNPROXY_OPT_MSS | NF_SYNPROXY_OPT_WSCALE))
+ nft_print(octx, "synproxy mss %u wscale %u%s%s%s",
+ obj->synproxy.mss, obj->synproxy.wscale,
+ ts_str, sack_str, opts->stmt_separator);
+ else if (flags & NF_SYNPROXY_OPT_MSS)
+ nft_print(octx, "synproxy mss %u%s%s%s",
+ obj->synproxy.mss, ts_str, sack_str,
+ opts->stmt_separator);
+ else if (flags & NF_SYNPROXY_OPT_WSCALE)
+ nft_print(octx, "synproxy wscale %u%s%s%s",
+ obj->synproxy.wscale, ts_str, sack_str,
+ opts->stmt_separator);
+ else
+ nft_print(octx, "synproxy %s%s%s", ts_str, sack_str,
+ opts->stmt_separator);
+ }
+ break;
default:
nft_print(octx, " unknown {%s", opts->nl);
break;
@@ -1924,6 +1972,7 @@ static const char * const obj_type_name_array[] = {
[NFT_OBJECT_LIMIT] = "limit",
[NFT_OBJECT_CT_TIMEOUT] = "ct timeout",
[NFT_OBJECT_SECMARK] = "secmark",
+ [NFT_OBJECT_SYNPROXY] = "synproxy",
[NFT_OBJECT_CT_EXPECT] = "ct expectation",
};
@@ -1941,6 +1990,7 @@ static uint32_t obj_type_cmd_array[NFT_OBJECT_MAX + 1] = {
[NFT_OBJECT_LIMIT] = CMD_OBJ_LIMIT,
[NFT_OBJECT_CT_TIMEOUT] = CMD_OBJ_CT_TIMEOUT,
[NFT_OBJECT_SECMARK] = CMD_OBJ_SECMARK,
+ [NFT_OBJECT_SYNPROXY] = CMD_OBJ_SYNPROXY,
[NFT_OBJECT_CT_EXPECT] = CMD_OBJ_CT_EXPECT,
};
@@ -2308,6 +2358,8 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_SECMARK:
case CMD_OBJ_SECMARKS:
return do_list_obj(ctx, cmd, NFT_OBJECT_SECMARK);
+ case CMD_OBJ_SYNPROXYS:
+ return do_list_obj(ctx, cmd, NFT_OBJECT_SYNPROXY);
case CMD_OBJ_FLOWTABLES:
return do_list_flowtables(ctx, cmd);
default:
diff --git a/src/scanner.l b/src/scanner.l
index fdf84ba..3de5a9e 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -330,6 +330,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"counters" { return COUNTERS; }
"quotas" { return QUOTAS; }
"limits" { return LIMITS; }
+"synproxys" { return SYNPROXYS; }
"log" { return LOG; }
"prefix" { return PREFIX; }
diff --git a/src/statement.c b/src/statement.c
index 12689ee..5aa5b1e 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -209,6 +209,7 @@ static const char *objref_type[NFT_OBJECT_MAX + 1] = {
[NFT_OBJECT_LIMIT] = "limit",
[NFT_OBJECT_CT_TIMEOUT] = "ct timeout",
[NFT_OBJECT_SECMARK] = "secmark",
+ [NFT_OBJECT_SYNPROXY] = "synproxy",
[NFT_OBJECT_CT_EXPECT] = "ct expectation",
};
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nft v2] src: add synproxy stateful object support
2019-09-07 18:30 [PATCH nft v2] src: add synproxy stateful object support Fernando Fernandez Mancera
@ 2019-09-07 18:55 ` Pablo Neira Ayuso
2019-09-08 18:37 ` Fernando Fernandez Mancera
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-07 18:55 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: netfilter-devel
On Sat, Sep 07, 2019 at 08:30:22PM +0200, Fernando Fernandez Mancera wrote:
> Add support for "synproxy" stateful object. For example (for TCP port 80 and
> using maps with saddr):
>
> table ip foo {
> synproxy https-synproxy {
> synproxy mss 1460 wscale 7 timestamp sack-perm
> }
Please, update syntax, so this looks like:
synproxy https-synproxy {
mss 1460
wscale 7
timestamp sack-perm
}
One option per line.
Thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nft v2] src: add synproxy stateful object support
2019-09-07 18:55 ` Pablo Neira Ayuso
@ 2019-09-08 18:37 ` Fernando Fernandez Mancera
2019-09-08 19:33 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Fernando Fernandez Mancera @ 2019-09-08 18:37 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Hi Pablo,
On 9/7/19 8:55 PM, Pablo Neira Ayuso wrote:
> On Sat, Sep 07, 2019 at 08:30:22PM +0200, Fernando Fernandez Mancera wrote:
>> Add support for "synproxy" stateful object. For example (for TCP port 80 and
>> using maps with saddr):
>>
>> table ip foo {
>> synproxy https-synproxy {
>> synproxy mss 1460 wscale 7 timestamp sack-perm
>> }
>
> Please, update syntax, so this looks like:
>
> synproxy https-synproxy {
> mss 1460
> wscale 7
> timestamp sack-perm
> }
>
> One option per line.
>
> Thanks!
>
I have updated the syntax.
table ip foo {
synproxy https-synproxy {
mss 1460
wscale 7
timestamp sack-perm
}
synproxy other-synproxy {
mss 1460
wscale 5
}
chain bar {
tcp dport 80 synproxy name "https-synproxy"
synproxy name ip saddr map { 192.168.1.0/24 :
"https-synproxy", 192.168.2.0/24 : "other-synproxy" }
}
}
But then I am getting errors when using "nft -f". Then how it is
possible to allow that on the parser?
mark:3:11-11: Error: syntax error, unexpected newline, expecting wscale
mss 1460
^
mark:4:3-8: Error: syntax error, unexpected wscale
wscale 7
^^^^^^
mark:5:3-11: Error: syntax error, unexpected timestamp
timestamp sack-perm
^^^^^^^^^
mark:9:11-11: Error: syntax error, unexpected newline, expecting wscale
mss 1460
^
mark:10:3-8: Error: syntax error, unexpected wscale
wscale 5
^^^^^^
Thanks! :-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nft v2] src: add synproxy stateful object support
2019-09-08 18:37 ` Fernando Fernandez Mancera
@ 2019-09-08 19:33 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-08 19:33 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: netfilter-devel
On Sun, Sep 08, 2019 at 08:37:38PM +0200, Fernando Fernandez Mancera wrote:
> Hi Pablo,
>
> On 9/7/19 8:55 PM, Pablo Neira Ayuso wrote:
> > On Sat, Sep 07, 2019 at 08:30:22PM +0200, Fernando Fernandez Mancera wrote:
> >> Add support for "synproxy" stateful object. For example (for TCP port 80 and
> >> using maps with saddr):
> >>
> >> table ip foo {
> >> synproxy https-synproxy {
> >> synproxy mss 1460 wscale 7 timestamp sack-perm
> >> }
> >
> > Please, update syntax, so this looks like:
> >
> > synproxy https-synproxy {
> > mss 1460
> > wscale 7
> > timestamp sack-perm
> > }
> >
> > One option per line.
> >
> > Thanks!
> >
>
> I have updated the syntax.
>
> table ip foo {
> synproxy https-synproxy {
> mss 1460
> wscale 7
> timestamp sack-perm
> }
>
> synproxy other-synproxy {
> mss 1460
> wscale 5
> }
>
> chain bar {
> tcp dport 80 synproxy name "https-synproxy"
> synproxy name ip saddr map { 192.168.1.0/24 :
> "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
> }
> }
>
> But then I am getting errors when using "nft -f". Then how it is
> possible to allow that on the parser?
>
> mark:3:11-11: Error: syntax error, unexpected newline, expecting wscale
> mss 1460
> ^
> mark:4:3-8: Error: syntax error, unexpected wscale
> wscale 7
> ^^^^^^
> mark:5:3-11: Error: syntax error, unexpected timestamp
> timestamp sack-perm
> ^^^^^^^^^
> mark:9:11-11: Error: syntax error, unexpected newline, expecting wscale
> mss 1460
> ^
> mark:10:3-8: Error: syntax error, unexpected wscale
> wscale 5
> ^^^^^^
Update the parser, have a look at ct helper, for instance.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-08 19:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-07 18:30 [PATCH nft v2] src: add synproxy stateful object support Fernando Fernandez Mancera
2019-09-07 18:55 ` Pablo Neira Ayuso
2019-09-08 18:37 ` Fernando Fernandez Mancera
2019-09-08 19:33 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).