1 diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/Kconfig linux-2.6.21.a/net/ipv4/netfilter/Kconfig
2 --- linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:11:52.000000000 +0200
3 +++ linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200
4 @@ -668,5 +668,15 @@ config IP_NF_ARP_MANGLE
5 Allows altering the ARP packet payload: source and destination
6 hardware and network addresses.
8 +config IP_NF_TARGET_IPV4OPTSSTRIP
9 + tristate 'IPV4OPTSSTRIP target support'
10 + depends on IP_NF_MANGLE
12 + This option adds an IPV4OPTSSTRIP target.
13 + This target allows you to strip all IP options in a packet.
15 + If you want to compile it as a module, say M here and read
16 + Documentation/modules.txt. If unsure, say `N'.
20 --- linux-3.4/net/ipv4/netfilter/Makefile~ 2012-05-21 08:42:02.000000000 +0200
21 +++ linux-3.4/net/ipv4/netfilter/Makefile 2012-05-21 08:45:09.247956356 +0200
24 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
25 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
26 +obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
27 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
28 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
29 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
30 diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
31 --- linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100
32 +++ linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2007-05-30 11:18:08.000000000 +0200
35 + * Strip all IP options in the IP packet header.
37 + * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
38 + * This software is distributed under GNU GPL v2, 1991
41 +#include <linux/module.h>
42 +#include <linux/skbuff.h>
44 +#include <net/checksum.h>
45 +#include <linux/netfilter/x_tables.h>
46 +#include <linux/netfilter_ipv4/ip_tables.h>
48 +MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");
49 +MODULE_DESCRIPTION("Strip all options in IPv4 packets");
50 +MODULE_LICENSE("GPL");
53 +target(struct sk_buff *skb, const struct xt_action_param *par)
56 + struct ip_options *opt;
57 + unsigned char *optiph;
60 + if (!skb_make_writable(skb, skb->len))
65 + /* if no options in packet then nothing to clear. */
66 + if (iph->ihl * 4 == sizeof(struct iphdr))
69 + /* else clear all options */
70 + optiph = skb_network_header(skb);
71 + l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
72 + memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
73 + memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
74 + opt = &(IPCB(skb)->opt);
81 +checkentry(const struct xt_tgchk_param *par)
83 + if (strcmp(par->table, "mangle")) {
84 + printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", par->table);
87 + /* nothing else to check because no parameters */
91 +static struct xt_target ipt_ipv4optsstrip_reg = {
92 + .name = "IPV4OPTSSTRIP",
94 + .checkentry = checkentry,
95 + .me = THIS_MODULE };
97 +static int __init init(void)
99 + return xt_register_target(&ipt_ipv4optsstrip_reg);
102 +static void __exit fini(void)
104 + xt_unregister_target(&ipt_ipv4optsstrip_reg);