[packages/kernel.git] / pom-ng-ipv4options-20060504.patch

 include/linux/netfilter_ipv4/ipt_ipv4options.h |   21 +++
 net/ipv4/netfilter/Kconfig                     |   13 +
 net/ipv4/netfilter/Makefile                    |    1 
 net/ipv4/netfilter/ipt_ipv4options.c           |  173 +++++++++++++++++++++++++
 4 files changed, 208 insertions(+)

diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux/include/linux/netfilter_ipv4/ipt_ipv4options.h
--- linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h	1970-01-01 01:00:00.000000000 +0100
+++ linux/include/linux/netfilter_ipv4/ipt_ipv4options.h	2006-05-04 10:14:44.000000000 +0200
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+#define IPT_IPV4OPTION_MATCH_SSRR		0x01  /* For strict source routing */
+#define IPT_IPV4OPTION_MATCH_LSRR		0x02  /* For loose source routing */
+#define IPT_IPV4OPTION_DONT_MATCH_SRR		0x04  /* any source routing */
+#define IPT_IPV4OPTION_MATCH_RR			0x08  /* For Record route */
+#define IPT_IPV4OPTION_DONT_MATCH_RR		0x10
+#define IPT_IPV4OPTION_MATCH_TIMESTAMP		0x20  /* For timestamp request */
+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP	0x40
+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT	0x80  /* For router-alert */
+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT	0x100
+#define IPT_IPV4OPTION_MATCH_ANY_OPT		0x200 /* match packet with any option */
+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT	0x400 /* match packet with no option */
+
+struct ipt_ipv4options_info {
+	u_int16_t options;
+};
+
+
+#endif /* __ipt_ipv4options_h_included__ */
diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig
--- linux.org/net/ipv4/netfilter/Kconfig	2006-05-02 23:38:44.000000000 +0200
+++ linux/net/ipv4/netfilter/Kconfig	2006-05-04 10:14:44.000000000 +0200
@@ -606,5 +606,18 @@
 	  Allows altering the ARP packet payload: source and destination
 	  hardware and network addresses.
 
+config IP_NF_MATCH_IPV4OPTIONS
+	tristate  'IPV4OPTIONS match support'
+	depends on IP_NF_IPTABLES
+	help
+	  This option adds a IPV4OPTIONS match.
+	  It allows you to filter options like source routing,
+	  record route, timestamp and router-altert.
+	
+	  If you say Y here, try iptables -m ipv4options --help for more information.
+	 
+	  If you want to compile it as a module, say M here and read
+	  Documentation/modules.txt.  If unsure, say `N'.
+
 endmenu
 
diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile
--- linux.org/net/ipv4/netfilter/Makefile	2006-05-02 23:38:44.000000000 +0200
+++ linux/net/ipv4/netfilter/Makefile	2006-05-04 10:14:44.000000000 +0200
@@ -0,0 +0,1 @@
+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linux/net/ipv4/netfilter/ipt_ipv4options.c
--- linux.org/net/ipv4/netfilter/ipt_ipv4options.c	1970-01-01 01:00:00.000000000 +0100
+++ linux/net/ipv4/netfilter/ipt_ipv4options.c	2006-05-04 10:14:44.000000000 +0200
@@ -0,0 +1,173 @@
+/*
+  This is a module which is used to match ipv4 options.
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+  ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
+  12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
+  12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
+  18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
+  19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/ip.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_ipv4options.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      unsigned int protoff,
+      int *hotdrop)
+{
+	const struct ipt_ipv4options_info *info = matchinfo;   /* match info for rule */
+	const struct iphdr *iph = skb->nh.iph;
+	const struct ip_options *opt;
+
+	if (iph->ihl * 4 == sizeof(struct iphdr)) {
+		/* No options, so we match only the "DONTs" and the "IGNOREs" */
+
+		if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
+		    ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+		    ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
+		    ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
+		    ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+                    ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
+			return 0;
+		return 1;
+	}
+	else {
+		if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
+			/* there are options, and we don't need to care which one */
+			return 1;
+		else {
+			if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
+				/* there are options but we don't want any ! */
+				return 0;
+		}
+	}
+
+	opt = &(IPCB(skb)->opt);
+
+	/* source routing */
+	if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
+		if (!((opt->srr) && (opt->is_strictroute)))
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
+		if (!((opt->srr) && (!opt->is_strictroute)))
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
+		if (opt->srr)
+			return 0;
+	}
+	/* record route */
+	if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
+		if (!opt->rr)
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
+		if (opt->rr)
+			return 0;
+	}
+	/* timestamp */
+	if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
+		if (!opt->ts)
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
+		if (opt->ts)
+			return 0;
+	}
+	/* router-alert option  */
+	if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
+		if (!opt->router_alert)
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
+		if (opt->router_alert)
+			return 0;
+	}
+
+	/* we match ! */
+	return 1;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_ip *ip,
+	   void *matchinfo,
+	   unsigned int matchsize,
+	   unsigned int hook_mask)
+{
+	const struct ipt_ipv4options_info *info = matchinfo;   /* match info for rule */
+	/* Check the size */
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_ipv4options_info)))
+		return 0;
+	/* Now check the coherence of the data ... */
+	if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
+	    (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
+	     ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
+	     ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
+	     ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
+	     ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
+	    (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
+	    ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
+		return 0; /* cannot match in the same time loose and strict source routing */
+	if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
+	    ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
+	    ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
+	    ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
+	    ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
+		return 0; /* opposites */
+
+	/* everything looks ok. */
+	return 1;
+}
+
+static struct ipt_match ipv4options_match = { 
+	.name = "ipv4options",
+	.match = match,
+	.checkentry = checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&ipv4options_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&ipv4options_match);
+}
+
+module_init(init);
+module_exit(fini);
Commit	Line	Data
c6410bf7	1	include/linux/netfilter_ipv4/ipt_ipv4options.h \| 21 +++
	2	net/ipv4/netfilter/Kconfig \| 13 +
	3	net/ipv4/netfilter/Makefile \| 1
	4	net/ipv4/netfilter/ipt_ipv4options.c \| 173 +++++++++++++++++++++++++
	5	4 files changed, 208 insertions(+)
	6
	7	diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux/include/linux/netfilter_ipv4/ipt_ipv4options.h
	8	--- linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
	9	+++ linux/include/linux/netfilter_ipv4/ipt_ipv4options.h 2006-05-04 10:14:44.000000000 +0200
	10	@@ -0,0 +1,21 @@
	11	+#ifndef __ipt_ipv4options_h_included__
	12	+#define __ipt_ipv4options_h_included__
	13	+
	14	+#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
	15	+#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
	16	+#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
	17	+#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
	18	+#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
	19	+#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
	20	+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
	21	+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
	22	+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
	23	+#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
	24	+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
	25	+
	26	+struct ipt_ipv4options_info {
	27	+ u_int16_t options;
	28	+};
	29	+
	30	+
	31	+#endif /* __ipt_ipv4options_h_included__ */
	32	diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig
	33	--- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200
	34	+++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:14:44.000000000 +0200
	35	@@ -606,5 +606,18 @@
	36	Allows altering the ARP packet payload: source and destination
	37	hardware and network addresses.
	38
	39	+config IP_NF_MATCH_IPV4OPTIONS
	40	+ tristate 'IPV4OPTIONS match support'
	41	+ depends on IP_NF_IPTABLES
	42	+ help
	43	+ This option adds a IPV4OPTIONS match.
	44	+ It allows you to filter options like source routing,
	45	+ record route, timestamp and router-altert.
	46	+
	47	+ If you say Y here, try iptables -m ipv4options --help for more information.
	48	+
	49	+ If you want to compile it as a module, say M here and read
	50	+ Documentation/modules.txt. If unsure, say `N'.
	51	+
	52	endmenu
	53
	54	diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile
	55	--- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200
	56	+++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:14:44.000000000 +0200
	57	@@ -0,0 +0,1 @@
	58	+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
	59	diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linux/net/ipv4/netfilter/ipt_ipv4options.c
	60	--- linux.org/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
	61	+++ linux/net/ipv4/netfilter/ipt_ipv4options.c 2006-05-04 10:14:44.000000000 +0200
	62	@@ -0,0 +1,173 @@
	63	+/*
	64	+ This is a module which is used to match ipv4 options.
65	+ This file is distributed under the terms of the GNU General Public
66	+ License (GPL). Copies of the GPL can be obtained from:
67	+ ftp://prep.ai.mit.edu/pub/gnu/GPL
68	+
69	+ 11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
70	+ 12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
71	+ 12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
72	+ 18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
73	+ 19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
74	+*/
75	+
76	+#include <linux/module.h>
77	+#include <linux/skbuff.h>
78	+#include <net/ip.h>
79	+
80	+#include <linux/netfilter_ipv4/ip_tables.h>
81	+#include <linux/netfilter_ipv4/ipt_ipv4options.h>
82	+
83	+MODULE_LICENSE("GPL");
84	+MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
85	+
86	+static int
87	+match(const struct sk_buff *skb,
88	+ const struct net_device *in,
89	+ const struct net_device *out,
90	+ const void *matchinfo,
91	+ int offset,
92	+ unsigned int protoff,
93	+ int *hotdrop)
94	+{
95	+ const struct ipt_ipv4options_info info = matchinfo; / match info for rule */
96	+ const struct iphdr *iph = skb->nh.iph;
97	+ const struct ip_options *opt;
98	+
99	+ if (iph->ihl * 4 == sizeof(struct iphdr)) {
100	+ /* No options, so we match only the "DONTs" and the "IGNOREs" */
101	+
102	+ if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) \|\|
103	+ ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) \|\|
104	+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) \|\|
105	+ ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) \|\|
106	+ ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) \|\|
107	+ ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
108	+ return 0;
109	+ return 1;
110	+ }
111	+ else {
112	+ if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
113	+ /* there are options, and we don't need to care which one */
114	+ return 1;
115	+ else {
116	+ if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
117	+ /* there are options but we don't want any ! */
118	+ return 0;
119	+ }
120	+ }
121	+
122	+ opt = &(IPCB(skb)->opt);
123	+
124	+ /* source routing */
125	+ if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
126	+ if (!((opt->srr) && (opt->is_strictroute)))
127	+ return 0;
128	+ }
129	+ else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
130	+ if (!((opt->srr) && (!opt->is_strictroute)))
131	+ return 0;
132	+ }
133	+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
134	+ if (opt->srr)
135	+ return 0;
136	+ }
137	+ /* record route */
138	+ if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
139	+ if (!opt->rr)
140	+ return 0;
141	+ }
142	+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
143	+ if (opt->rr)
144	+ return 0;
145	+ }
146	+ /* timestamp */
147	+ if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
148	+ if (!opt->ts)
149	+ return 0;
150	+ }
151	+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
152	+ if (opt->ts)
153	+ return 0;
154	+ }
155	+ /* router-alert option */
156	+ if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
157	+ if (!opt->router_alert)
158	+ return 0;
159	+ }
160	+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
161	+ if (opt->router_alert)
162	+ return 0;
163	+ }
164	+
165	+ /* we match ! */
166	+ return 1;
167	+}
168	+
169	+static int
170	+checkentry(const char *tablename,
171	+ const struct ipt_ip *ip,
172	+ void *matchinfo,
173	+ unsigned int matchsize,
174	+ unsigned int hook_mask)
175	+{
176	+ const struct ipt_ipv4options_info info = matchinfo; / match info for rule */
177	+ /* Check the size */
178	+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_ipv4options_info)))
179	+ return 0;
180	+ /* Now check the coherence of the data ... */
181	+ if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
182	+ (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) \|\|
183	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) \|\|
184	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) \|\|
185	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) \|\|
186	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
187	+ return 0; /* opposites */
188	+ if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
189	+ (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) \|\|
190	+ ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) \|\|
191	+ ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) \|\|
192	+ ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) \|\|
193	+ ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) \|\|
194	+ ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
195	+ return 0; /* opposites */
196	+ if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
197	+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
198	+ return 0; /* cannot match in the same time loose and strict source routing */
199	+ if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) \|\|
200	+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
201	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
202	+ return 0; /* opposites */
203	+ if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
204	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
205	+ return 0; /* opposites */
206	+ if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
207	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
208	+ return 0; /* opposites */
209	+ if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
210	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
211	+ return 0; /* opposites */
212	+
213	+ /* everything looks ok. */
214	+ return 1;
215	+}
216	+
217	+static struct ipt_match ipv4options_match = {
218	+ .name = "ipv4options",
219	+ .match = match,
220	+ .checkentry = checkentry,
221	+ .me = THIS_MODULE
222	+};
223	+
224	+static int __init init(void)
225	+{
226	+ return ipt_register_match(&ipv4options_match);
227	+}
228	+
229	+static void __exit fini(void)
230	+{
231	+ ipt_unregister_match(&ipv4options_match);
232	+}
233	+
234	+module_init(init);
235	+module_exit(fini);