Complete
e6c32b2fa0b8 ("src: add negation match on singleton bitmask
value") which was missing comma-separated list of flags.
This patch provides a shortcut for:
tcp flags and fin,rst == 0
which allows to check for the packet whose fin and rst bits are unset:
# nft add rule x y tcp flags not fin,rst counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
{
$$ = relational_expr_alloc(&@2, $2, $1, $3);
}
+ | expr relational_op list_rhs_expr
+ {
+ $$ = relational_expr_alloc(&@2, $2, $1, $3);
+ }
;
list_rhs_expr : basic_rhs_expr COMMA basic_rhs_expr
tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff
tcp flags { syn, syn | ack };ok
tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok
+tcp flags ! fin,rst;ok
tcp window 22222;ok
tcp window 22;ok
}
}
]
+
+# tcp flags ! fin,rst
+[
+ {
+ "match": {
+ "op": "!",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "flags"
+ }
+ },
+ "right": [
+ "fin",
+ "rst"
+ ]
+ }
+ }
+]
[ payload load 1b @ transport header + 13 => reg 1 ]
[ lookup reg 1 set __set%d ]
+# tcp flags ! fin,rst
+inet
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000005 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
projects / thirdparty / nftables.git / commitdiff
