@@ -25,6 +25,9 @@ enum tcpopt_kind {
TCPOPT_KIND_SACK = 5,
TCPOPT_KIND_TIMESTAMP = 8,
TCPOPT_KIND_ECHO = 8,
+ TCPOPT_KIND_MD5SIG = 19,
+ TCPOPT_KIND_MPTCP = 30,
+ TCPOPT_KIND_FASTOPEN = 34,
__TCPOPT_KIND_MAX,
/* extra oob info, internal to nft */
@@ -71,6 +74,11 @@ enum tcpopt_hdr_field_sack {
TCPOPT_SACK_RIGHT3,
};
+enum tcpopt_hdr_mptcp_common {
+ TCPOPT_MPTCP_KIND,
+ TCPOPT_MPTCP_LENGTH,
+};
+
extern const struct exthdr_desc *tcpopt_protocols[__TCPOPT_KIND_MAX];
#endif /* NFTABLES_TCPOPT_H */
@@ -408,6 +408,7 @@ int nft_lex(void *, void *, void *);
%token OPTION "option"
%token ECHO "echo"
%token EOL "eol"
+%token MPTCP "mptcp"
%token NOP "nop"
%token SACK "sack"
%token SACK0 "sack0"
@@ -415,6 +416,8 @@ int nft_lex(void *, void *, void *);
%token SACK2 "sack2"
%token SACK3 "sack3"
%token SACK_PERM "sack-permitted"
+%token FASTOPEN "fastopen"
+%token MD5SIG "md5sig"
%token TIMESTAMP "timestamp"
%token COUNT "count"
%token LEFT "left"
@@ -5548,11 +5551,14 @@ tcp_hdr_option_sack : SACK { $$ = TCPOPT_KIND_SACK; }
tcp_hdr_option_type : ECHO { $$ = TCPOPT_KIND_ECHO; }
| EOL { $$ = TCPOPT_KIND_EOL; }
+ | FASTOPEN { $$ = TCPOPT_KIND_FASTOPEN; }
+ | MD5SIG { $$ = TCPOPT_KIND_MD5SIG; }
+ | MPTCP { $$ = TCPOPT_KIND_MPTCP; }
| MSS { $$ = TCPOPT_KIND_MAXSEG; }
| NOP { $$ = TCPOPT_KIND_NOP; }
| SACK_PERM { $$ = TCPOPT_KIND_SACK_PERMITTED; }
- | TIMESTAMP { $$ = TCPOPT_KIND_TIMESTAMP; }
- | WINDOW { $$ = TCPOPT_KIND_WINDOW; }
+ | TIMESTAMP { $$ = TCPOPT_KIND_TIMESTAMP; }
+ | WINDOW { $$ = TCPOPT_KIND_WINDOW; }
| tcp_hdr_option_sack { $$ = $1; }
| NUM {
if ($1 > 255) {
@@ -469,6 +469,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
<SCANSTATE_TCP>{
"echo" { return ECHO; }
"eol" { return EOL; }
+"fastopen" { return FASTOPEN; }
+"mptcp" { return MPTCP; }
+"md5sig" { return MD5SIG; }
"nop" { return NOP; }
"noop" { return NOP; }
"sack" { return SACK; }
@@ -91,6 +91,33 @@ static const struct exthdr_desc tcpopt_timestamp = {
},
};
+static const struct exthdr_desc tcpopt_fastopen = {
+ .name = "fastopen",
+ .type = TCPOPT_KIND_FASTOPEN,
+ .templates = {
+ [TCPOPT_COMMON_KIND] = PHT("kind", 0, 8),
+ [TCPOPT_COMMON_LENGTH] = PHT("length", 8, 8),
+ },
+};
+
+static const struct exthdr_desc tcpopt_md5sig = {
+ .name = "md5sig",
+ .type = TCPOPT_KIND_MD5SIG,
+ .templates = {
+ [TCPOPT_COMMON_KIND] = PHT("kind", 0, 8),
+ [TCPOPT_COMMON_LENGTH] = PHT("length", 8, 8),
+ },
+};
+
+
+static const struct exthdr_desc tcpopt_mptcp = {
+ .name = "mptcp",
+ .type = TCPOPT_KIND_MPTCP,
+ .templates = {
+ [TCPOPT_MPTCP_KIND] = PHT("kind", 0, 8),
+ [TCPOPT_MPTCP_LENGTH] = PHT("length", 8, 8),
+ },
+};
#undef PHT
const struct exthdr_desc *tcpopt_protocols[] = {
@@ -101,6 +128,9 @@ const struct exthdr_desc *tcpopt_protocols[] = {
[TCPOPT_KIND_SACK_PERMITTED] = &tcpopt_sack_permitted,
[TCPOPT_KIND_SACK] = &tcpopt_sack,
[TCPOPT_KIND_TIMESTAMP] = &tcpopt_timestamp,
+ [TCPOPT_KIND_MD5SIG] = &tcpopt_md5sig,
+ [TCPOPT_KIND_MPTCP] = &tcpopt_mptcp,
+ [TCPOPT_KIND_FASTOPEN] = &tcpopt_fastopen,
};
/**
Allow to use "fastopen", "md5sig" and "mptcp" mnemonics rather than the raw option numbers. These new keywords are only recognized while scanner is in tcp state. Signed-off-by: Florian Westphal <fw@strlen.de> --- include/tcpopt.h | 8 ++++++++ src/parser_bison.y | 10 ++++++++-- src/scanner.l | 3 +++ src/tcpopt.c | 30 ++++++++++++++++++++++++++++++ 4 files changed, 49 insertions(+), 2 deletions(-)