diff options
author | green <green@FreeBSD.org> | 2004-10-03 00:47:15 +0000 |
---|---|---|
committer | green <green@FreeBSD.org> | 2004-10-03 00:47:15 +0000 |
commit | cb606898b9f83045c54ca6796b13313487916ac0 (patch) | |
tree | ed21a6bab51547d776061c9da2318f199ee4ea14 /sbin/ipfw | |
parent | cdf18c02e63403bcc3ca98fc618b46d5868cd2d3 (diff) | |
download | FreeBSD-src-cb606898b9f83045c54ca6796b13313487916ac0.zip FreeBSD-src-cb606898b9f83045c54ca6796b13313487916ac0.tar.gz |
Add support to IPFW for matching by TCP data length.
Diffstat (limited to 'sbin/ipfw')
-rw-r--r-- | sbin/ipfw/ipfw.8 | 6 | ||||
-rw-r--r-- | sbin/ipfw/ipfw2.c | 23 |
2 files changed, 29 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index ef05581..7ba90e4 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1236,6 +1236,12 @@ specified as argument. TCP packets only. Match if the TCP header acknowledgment number field is set to .Ar ack . +.It Cm tcpdatalen Ar tcpdatalen-list +Matches TCP packets whose length of TCP data is +.Ar tcpdatalen-list , +which is either a single value or a list of values or ranges +specified in the same way as +.Ar ports . .It Cm tcpflags Ar spec TCP packets only. Match if the TCP header contains the comma separated list of diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index bfc0fc4..fe3a8fe 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -233,6 +233,7 @@ enum tokens { TOK_IPVER, TOK_ESTAB, TOK_SETUP, + TOK_TCPDATALEN, TOK_TCPFLAGS, TOK_TCPOPTS, TOK_TCPSEQ, @@ -348,6 +349,7 @@ struct _s_x rule_options[] = { { "estab", TOK_ESTAB }, { "established", TOK_ESTAB }, { "setup", TOK_SETUP }, + { "tcpdatalen", TOK_TCPDATALEN }, { "tcpflags", TOK_TCPFLAGS }, { "tcpflgs", TOK_TCPFLAGS }, { "tcpoptions", TOK_TCPOPTS }, @@ -481,6 +483,7 @@ struct _s_x _port_name[] = { {"iplen", O_IPLEN}, {"ipttl", O_IPTTL}, {"mac-type", O_MAC_TYPE}, + {"tcpdatalen", O_TCPDATALEN}, {NULL, 0} }; @@ -1395,6 +1398,14 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) printf(" established"); break; + case O_TCPDATALEN: + if (F_LEN(cmd) == 1) + printf(" tcpdatalen %u", cmd->arg1 ); + else + print_newports((ipfw_insn_u16 *)cmd, 0, + O_TCPDATALEN); + break; + case O_TCPFLAGS: print_flags("tcpflags", cmd, f_tcpflags); break; @@ -2072,6 +2083,7 @@ help(void) " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" " verrevpath | versrcreach | antispoof\n" +" tcpdatalen LIST | verrevpath | versrcreach | antispoof\n" ); exit(0); } @@ -3542,6 +3554,17 @@ read_options: (TH_SYN) | ( (TH_ACK) & 0xff) <<8 ); break; + case TOK_TCPDATALEN: + NEED1("tcpdatalen requires length"); + if (strpbrk(*av, "-,")) { + if (!add_ports(cmd, *av, 0, O_TCPDATALEN)) + errx(EX_DATAERR, "invalid tcpdata len %s", *av); + } else + fill_cmd(cmd, O_TCPDATALEN, 0, + strtoul(*av, NULL, 0)); + ac--; av++; + break; + case TOK_TCPOPTS: NEED1("missing argument for tcpoptions"); fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av); |