diff mbox series

[iptables-nft,6/7] nft-shared: add tcp flag dissection

Message ID 20220125165301.5960-7-fw@strlen.de
State Accepted, archived
Delegated to: Pablo Neira
Headers show
Series iptables: prefer native expressions for udp and tcp matches | expand

Commit Message

Florian Westphal Jan. 25, 2022, 4:53 p.m. UTC 
Detect payload load of th->flags and convert it to xt tcp match
structure.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 iptables/nft-shared.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
diff mbox series

Patch

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 19c82854f758..74f08c8966ee 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -751,6 +751,22 @@  static void nft_complete_th_port_range(struct nft_xt_ctx *ctx,
 	}
 }
 
+static void nft_complete_tcp_flags(struct nft_xt_ctx *ctx,
+				   struct iptables_command_state *cs,
+				   uint8_t op,
+				   uint8_t flags,
+				   uint8_t mask)
+{
+	struct xt_tcp *tcp = nft_tcp_match(ctx, cs);
+
+	if (!tcp)
+		return;
+
+	if (op == NFT_CMP_NEQ)
+		tcp->invflags |= XT_TCP_INV_FLAGS;
+	tcp->flg_cmp = flags;
+	tcp->flg_mask = mask;
+}
 
 static void nft_complete_transport(struct nft_xt_ctx *ctx,
 				   struct nftnl_expr *e, void *data)
@@ -797,6 +813,18 @@  static void nft_complete_transport(struct nft_xt_ctx *ctx,
 			return;
 		}
 		break;
+	case 13: /* th->flags */
+		if (len == 1 && proto == IPPROTO_TCP) {
+			uint8_t flags = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA);
+			uint8_t mask = ~0;
+
+			if (ctx->flags & NFT_XT_CTX_BITWISE) {
+				memcpy(&mask, &ctx->bitwise.mask, sizeof(mask));
+				ctx->flags &= ~NFT_XT_CTX_BITWISE;
+			}
+			nft_complete_tcp_flags(ctx, cs, op, flags, mask);
+		}
+		return;
 	}
 }