1 diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h
2 --- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
3 +++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h 2007-05-30 11:22:30.000000000 +0200
5 +#ifndef __ipt_ipv4options_h_included__
6 +#define __ipt_ipv4options_h_included__
8 +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
9 +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
10 +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
11 +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
12 +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
13 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
14 +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
15 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
16 +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
17 +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
18 +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
20 +struct ipt_ipv4options_info {
25 +#endif /* __ipt_ipv4options_h_included__ */
26 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
27 --- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200
28 +++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:22:30.000000000 +0200
29 @@ -678,5 +678,18 @@ config IP_NF_TARGET_IPV4OPTSSTRIP
30 If you want to compile it as a module, say M here and read
31 Documentation/modules.txt. If unsure, say `N'.
33 +config IP_NF_MATCH_IPV4OPTIONS
34 + tristate 'IPV4OPTIONS match support'
35 + depends on IP_NF_IPTABLES
37 + This option adds a IPV4OPTIONS match.
38 + It allows you to filter options like source routing,
39 + record route, timestamp and router-altert.
41 + If you say Y here, try iptables -m ipv4options --help for more information.
43 + If you want to compile it as a module, say M here and read
44 + Documentation/modules.txt. If unsure, say `N'.
48 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
49 --- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:18:08.000000000 +0200
50 +++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:22:30.000000000 +0200
51 @@ -86,6 +86,9 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
52 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
53 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
54 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
56 +obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
58 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
59 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
60 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
61 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c
62 --- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
63 +++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c 2007-05-30 11:22:30.000000000 +0200
66 + This is a module which is used to match ipv4 options.
67 + This file is distributed under the terms of the GNU General Public
68 + License (GPL). Copies of the GPL can be obtained from:
69 + ftp://prep.ai.mit.edu/pub/gnu/GPL
71 + 11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
72 + 12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
73 + 12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
74 + 18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
75 + 19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
78 +#include <linux/module.h>
79 +#include <linux/skbuff.h>
81 +#include <linux/netfilter/x_tables.h>
82 +#include <linux/netfilter_ipv4/ip_tables.h>
83 +#include <linux/netfilter_ipv4/ipt_ipv4options.h>
85 +MODULE_LICENSE("GPL");
86 +MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
89 +match(const struct sk_buff *skb,
90 + const struct net_device *in,
91 + const struct net_device *out,
92 + const struct xt_match *match,
93 + const void *matchinfo,
95 + unsigned int protoff,
98 + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
99 + const struct iphdr *iph = ip_hdr(skb);
100 + const struct ip_options *opt;
102 + if (iph->ihl * 4 == sizeof(struct iphdr)) {
103 + /* No options, so we match only the "DONTs" and the "IGNOREs" */
105 + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
106 + ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
107 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
108 + ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
109 + ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
110 + ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
115 + if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
116 + /* there are options, and we don't need to care which one */
119 + if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
120 + /* there are options but we don't want any ! */
125 + opt = &(IPCB(skb)->opt);
127 + /* source routing */
128 + if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
129 + if (!((opt->srr) && (opt->is_strictroute)))
132 + else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
133 + if (!((opt->srr) && (!opt->is_strictroute)))
136 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
141 + if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
145 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
150 + if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
154 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
158 + /* router-alert option */
159 + if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
160 + if (!opt->router_alert)
163 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
164 + if (opt->router_alert)
173 +checkentry(const char *tablename,
175 + const struct xt_match *match,
178 + unsigned int hook_mask)
180 + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
184 + /* Now check the coherence of the data ... */
185 + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
186 + (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
187 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
188 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
189 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
190 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
191 + return 0; /* opposites */
192 + if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
193 + (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
194 + ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
195 + ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
196 + ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
197 + ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
198 + ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
199 + return 0; /* opposites */
200 + if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
201 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
202 + return 0; /* cannot match in the same time loose and strict source routing */
203 + if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
204 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
205 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
206 + return 0; /* opposites */
207 + if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
208 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
209 + return 0; /* opposites */
210 + if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
211 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
212 + return 0; /* opposites */
213 + if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
214 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
215 + return 0; /* opposites */
217 + /* everything looks ok. */
221 +static struct xt_match ipv4options_match = {
222 + .name = "ipv4options",
225 + .matchsize = sizeof(struct ipt_ipv4options_info),
226 + .checkentry = checkentry,
230 +static int __init init(void)
232 + return xt_register_match(&ipv4options_match);
235 +static void __exit fini(void)
237 + xt_unregister_match(&ipv4options_match);