]>
Commit | Line | Data |
---|---|---|
1 | diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/Kconfig linux-2.6.21.a/net/ipv4/netfilter/Kconfig | |
2 | --- linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:11:52.000000000 +0200 | |
3 | +++ linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200 | |
4 | @@ -668,5 +668,15 @@ config IP_NF_ARP_MANGLE | |
5 | Allows altering the ARP packet payload: source and destination | |
6 | hardware and network addresses. | |
7 | ||
8 | +config IP_NF_TARGET_IPV4OPTSSTRIP | |
9 | + tristate 'IPV4OPTSSTRIP target support' | |
10 | + depends on IP_NF_MANGLE | |
11 | + help | |
12 | + This option adds an IPV4OPTSSTRIP target. | |
13 | + This target allows you to strip all IP options in a packet. | |
14 | + | |
15 | + If you want to compile it as a module, say M here and read | |
16 | + Documentation/modules.txt. If unsure, say `N'. | |
17 | + | |
18 | endmenu | |
19 | ||
20 | --- linux-3.4/net/ipv4/netfilter/Makefile~ 2012-05-21 08:42:02.000000000 +0200 | |
21 | +++ linux-3.4/net/ipv4/netfilter/Makefile 2012-05-21 08:45:09.247956356 +0200 | |
22 | @@ -54,6 +54,7 @@ | |
23 | # targets | |
24 | obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o | |
25 | obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o | |
26 | +obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o | |
27 | obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o | |
28 | obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o | |
29 | obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o | |
30 | diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c | |
31 | --- linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100 | |
32 | +++ linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2007-05-30 11:18:08.000000000 +0200 | |
33 | @@ -0,0 +1,75 @@ | |
34 | +/** | |
35 | + * Strip all IP options in the IP packet header. | |
36 | + * | |
37 | + * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org> | |
38 | + * This software is distributed under GNU GPL v2, 1991 | |
39 | + */ | |
40 | + | |
41 | +#include <linux/module.h> | |
42 | +#include <linux/skbuff.h> | |
43 | +#include <net/ip.h> | |
44 | +#include <net/checksum.h> | |
45 | +#include <linux/netfilter/x_tables.h> | |
46 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
47 | + | |
48 | +MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>"); | |
49 | +MODULE_DESCRIPTION("Strip all options in IPv4 packets"); | |
50 | +MODULE_LICENSE("GPL"); | |
51 | + | |
52 | +static unsigned int | |
53 | +target(struct sk_buff *skb, const struct xt_action_param *par) | |
54 | +{ | |
55 | + struct iphdr *iph; | |
56 | + struct ip_options *opt; | |
57 | + unsigned char *optiph; | |
58 | + int l; | |
59 | + | |
60 | + if (!skb_make_writable(skb, skb->len)) | |
61 | + return NF_DROP; | |
62 | + | |
63 | + iph = ip_hdr(skb); | |
64 | + | |
65 | + /* if no options in packet then nothing to clear. */ | |
66 | + if (iph->ihl * 4 == sizeof(struct iphdr)) | |
67 | + return XT_CONTINUE; | |
68 | + | |
69 | + /* else clear all options */ | |
70 | + optiph = skb_network_header(skb); | |
71 | + l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen; | |
72 | + memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); | |
73 | + memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l); | |
74 | + opt = &(IPCB(skb)->opt); | |
75 | + opt->optlen = l; | |
76 | + | |
77 | + return XT_CONTINUE; | |
78 | +} | |
79 | + | |
80 | +static int | |
81 | +checkentry(const struct xt_tgchk_param *par) | |
82 | +{ | |
83 | + if (strcmp(par->table, "mangle")) { | |
84 | + printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", par->table); | |
85 | + return 0; | |
86 | + } | |
87 | + /* nothing else to check because no parameters */ | |
88 | + return 1; | |
89 | +} | |
90 | + | |
91 | +static struct xt_target ipt_ipv4optsstrip_reg = { | |
92 | + .name = "IPV4OPTSSTRIP", | |
93 | + .target = target, | |
94 | + .checkentry = checkentry, | |
95 | + .me = THIS_MODULE }; | |
96 | + | |
97 | +static int __init init(void) | |
98 | +{ | |
99 | + return xt_register_target(&ipt_ipv4optsstrip_reg); | |
100 | +} | |
101 | + | |
102 | +static void __exit fini(void) | |
103 | +{ | |
104 | + xt_unregister_target(&ipt_ipv4optsstrip_reg); | |
105 | +} | |
106 | + | |
107 | +module_init(init); | |
108 | +module_exit(fini); |