tcpopt: add md5sig, fastopen and mptcp options

Allow to use "fastopen", "md5sig" and "mptcp" mnemonics rather than the
raw option numbers.

These new keywords are only recognized while scanner is in tcp state.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/include/tcpopt.h b/include/tcpopt.h
index 667c8a7725d8992b118a9d223cfa57479c81c99f..22df69dc5b93dd453c608a17e5cbc47cc44172a4 100644 (file)
--- a/include/tcpopt.h
+++ b/include/tcpopt.h
@@ -25,6 +25,9 @@ enum tcpopt_kind {
        TCPOPT_KIND_SACK = 5,
        TCPOPT_KIND_TIMESTAMP = 8,
        TCPOPT_KIND_ECHO = 8,
+       TCPOPT_KIND_MD5SIG = 19,
+       TCPOPT_KIND_MPTCP = 30,
+       TCPOPT_KIND_FASTOPEN = 34,
        __TCPOPT_KIND_MAX,
 
        /* extra oob info, internal to nft */
@@ -71,6 +74,11 @@ enum tcpopt_hdr_field_sack {
        TCPOPT_SACK_RIGHT3,
 };
 
+enum tcpopt_hdr_mptcp_common {
+       TCPOPT_MPTCP_KIND,
+       TCPOPT_MPTCP_LENGTH,
+};
+
 extern const struct exthdr_desc *tcpopt_protocols[__TCPOPT_KIND_MAX];
 
 #endif /* NFTABLES_TCPOPT_H */

diff --git a/src/parser_bison.y b/src/parser_bison.y
index fca79132609478a2de5e57941b05beb51ee21197..a6a591b7e00dd70786f5099f2e00069f32e5bd8f 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -408,6 +408,7 @@ int nft_lex(void *, void *, void *);
 %token OPTION                  "option"
 %token ECHO                    "echo"
 %token EOL                     "eol"
+%token MPTCP                   "mptcp"
 %token NOP                     "nop"
 %token SACK                    "sack"
 %token SACK0                   "sack0"
@@ -415,6 +416,8 @@ int nft_lex(void *, void *, void *);
 %token SACK2                   "sack2"
 %token SACK3                   "sack3"
 %token SACK_PERM               "sack-permitted"
+%token FASTOPEN                        "fastopen"
+%token MD5SIG                  "md5sig"
 %token TIMESTAMP               "timestamp"
 %token COUNT                   "count"
 %token LEFT                    "left"
@@ -5548,11 +5551,14 @@ tcp_hdr_option_sack     :       SACK            { $$ = TCPOPT_KIND_SACK; }
 
 tcp_hdr_option_type    :       ECHO                    { $$ = TCPOPT_KIND_ECHO; }
                        |       EOL                     { $$ = TCPOPT_KIND_EOL; }
+                       |       FASTOPEN                { $$ = TCPOPT_KIND_FASTOPEN; }
+                       |       MD5SIG                  { $$ = TCPOPT_KIND_MD5SIG; }
+                       |       MPTCP                   { $$ = TCPOPT_KIND_MPTCP; }
                        |       MSS                     { $$ = TCPOPT_KIND_MAXSEG; }
                        |       NOP                     { $$ = TCPOPT_KIND_NOP; }
                        |       SACK_PERM               { $$ = TCPOPT_KIND_SACK_PERMITTED; }
-                       |       TIMESTAMP               { $$ = TCPOPT_KIND_TIMESTAMP; }
-                       |       WINDOW                  { $$ = TCPOPT_KIND_WINDOW; }
+                       |       TIMESTAMP               { $$ = TCPOPT_KIND_TIMESTAMP; }
+                       |       WINDOW                  { $$ = TCPOPT_KIND_WINDOW; }
                        |       tcp_hdr_option_sack     { $$ = $1; }
                        |       NUM                     {
                                if ($1 > 255) {

diff --git a/src/scanner.l b/src/scanner.l
index 09fcbd094aa69761f6715bdbf81ce1ccf85bb8fa..c65d57846c5987903fbd6f41875e4287356c024d 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -469,6 +469,9 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 <SCANSTATE_TCP>{
 "echo"                 { return ECHO; }
 "eol"                  { return EOL; }
+"fastopen"             { return FASTOPEN; }
+"mptcp"                        { return MPTCP; }
+"md5sig"               { return MD5SIG; }
 "nop"                  { return NOP; }
 "noop"                 { return NOP; }
 "sack"                 { return SACK; }

diff --git a/src/tcpopt.c b/src/tcpopt.c
index 53fe9bc860a8dcbc22d63950a8adc6c6f5b59212..5913cd065d03c14c4df18d3fbe2c47df2de5b2f4 100644 (file)
--- a/src/tcpopt.c
+++ b/src/tcpopt.c
@@ -91,6 +91,33 @@ static const struct exthdr_desc tcpopt_timestamp = {
        },
 };
 
+static const struct exthdr_desc tcpopt_fastopen = {
+       .name           = "fastopen",
+       .type           = TCPOPT_KIND_FASTOPEN,
+       .templates      = {
+               [TCPOPT_COMMON_KIND]    = PHT("kind",   0, 8),
+               [TCPOPT_COMMON_LENGTH]  = PHT("length", 8, 8),
+       },
+};
+
+static const struct exthdr_desc tcpopt_md5sig = {
+       .name           = "md5sig",
+       .type           = TCPOPT_KIND_MD5SIG,
+       .templates      = {
+               [TCPOPT_COMMON_KIND]    = PHT("kind",   0, 8),
+               [TCPOPT_COMMON_LENGTH]  = PHT("length", 8, 8),
+       },
+};
+
+
+static const struct exthdr_desc tcpopt_mptcp = {
+       .name           = "mptcp",
+       .type           = TCPOPT_KIND_MPTCP,
+       .templates      = {
+               [TCPOPT_MPTCP_KIND]     = PHT("kind",   0,   8),
+               [TCPOPT_MPTCP_LENGTH]   = PHT("length", 8,  8),
+       },
+};
 #undef PHT
 
 const struct exthdr_desc *tcpopt_protocols[] = {
@@ -101,6 +128,9 @@ const struct exthdr_desc *tcpopt_protocols[] = {
        [TCPOPT_KIND_SACK_PERMITTED]    = &tcpopt_sack_permitted,
        [TCPOPT_KIND_SACK]              = &tcpopt_sack,
        [TCPOPT_KIND_TIMESTAMP]         = &tcpopt_timestamp,
+       [TCPOPT_KIND_MD5SIG]            = &tcpopt_md5sig,
+       [TCPOPT_KIND_MPTCP]             = &tcpopt_mptcp,
+       [TCPOPT_KIND_FASTOPEN]          = &tcpopt_fastopen,
 };
 
 /**