expr_rt might write data in host byte order, so make sure to
convert if needed.
This makes 'tcp option maxseg size rt mtu' actually work, right now such rules
are no-ops because nft_exthdr never increases the mss.
While at it, extend the example to not bother testing non-syn packets.
Reported-by: Matteo Croce <technoboy85@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
<example>
<title>change tcp mss</title>
<programlisting>
-tcp option maxseg size set 1360
+tcp flags syn tcp option maxseg size set 1360
# set a size based on route information:
-tcp option maxseg size set rt mtu
+tcp flags syn tcp option maxseg size set rt mtu
</programlisting>
</example>
</para>
return stmt_binary_error(ctx, *expr, stmt,
"you cannot reference a set here, "
"unknown value to use");
+ case EXPR_RT:
+ return byteorder_conversion(ctx, expr, byteorder);
default:
break;
}
# tcp option maxseg size set rt mtu
inet test-inet output
[ rt load tcpmss => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 2, 2) ]
[ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ]
projects / thirdparty / nftables.git / commitdiff
