Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad49d86e authored by Fernando Fernandez Mancera's avatar Fernando Fernandez Mancera Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: Add synproxy support 



Add synproxy support for nf_tables. This behaves like the iptables
synproxy target but it is structured in a way that allows us to propose
improvements in the future.

Signed-off-by: default avatarFernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6f7b841b

include/net/netfilter/nf_conntrack_synproxy.h

+1 −0
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ 
#ifndef _NF_CONNTRACK_SYNPROXY_H

#define _NF_CONNTRACK_SYNPROXY_H



#include <net/netfilter/nf_conntrack_seqadj.h>

#include <net/netns/generic.h>



struct nf_conn_synproxy {

include/net/netfilter/nf_synproxy.h

+5 −0
Original line number Diff line number Diff line
@@ -39,6 +39,11 @@ unsigned int ipv6_synproxy_hook(void *priv, struct sk_buff *skb, 
				const struct nf_hook_state *nhs);

int nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net);

void nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net);

#else

static inline int

nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net) { return 0; }

static inline void

nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net) {};

#endif /* CONFIG_IPV6 */



#endif /* _NF_SYNPROXY_SHARED_H */

include/uapi/linux/netfilter/nf_synproxy.h

+4 −0
Original line number Diff line number Diff line
@@ -9,6 +9,10 @@ 
#define NF_SYNPROXY_OPT_SACK_PERM	0x04

#define NF_SYNPROXY_OPT_TIMESTAMP	0x08

#define NF_SYNPROXY_OPT_ECN		0x10

#define NF_SYNPROXY_OPT_MASK		(NF_SYNPROXY_OPT_MSS | \

					 NF_SYNPROXY_OPT_WSCALE | \

					 NF_SYNPROXY_OPT_SACK_PERM | \

					 NF_SYNPROXY_OPT_TIMESTAMP)



struct nf_synproxy_info {

	__u8	options;

include/uapi/linux/netfilter/nf_tables.h

+16 −0
Original line number Diff line number Diff line
@@ -1551,6 +1551,22 @@ enum nft_osf_flags { 
	NFT_OSF_F_VERSION = (1 << 0),

};



/**

 * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes

 *

 * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16)

 * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8)

 * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32)

 */

enum nft_synproxy_attributes {

	NFTA_SYNPROXY_UNSPEC,

	NFTA_SYNPROXY_MSS,

	NFTA_SYNPROXY_WSCALE,

	NFTA_SYNPROXY_FLAGS,

	__NFTA_SYNPROXY_MAX,

};

#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1)



/**

 * enum nft_device_attributes - nf_tables device netlink attributes

 *

net/netfilter/Kconfig

+11 −0
Original line number Diff line number Diff line
@@ -651,6 +651,17 @@ config NFT_TPROXY 
	help

	  This makes transparent proxy support available in nftables.



config NFT_SYNPROXY

	tristate "Netfilter nf_tables SYNPROXY expression support"

	depends on NF_CONNTRACK && NETFILTER_ADVANCED

	select NETFILTER_SYNPROXY

	select SYN_COOKIES

	help

	  The SYNPROXY expression allows you to intercept TCP connections and

	  establish them using syncookies before they are passed on to the

	  server. This allows to avoid conntrack and server resource usage

	  during SYN-flood attacks.



if NF_TABLES_NETDEV



config NF_DUP_NETDEV