pom-ng-ipv4options-20060504.patch

   1  include/linux/netfilter_ipv4/ipt_ipv4options.h |   21 +++
   2  net/ipv4/netfilter/Kconfig                     |   13 +
   3  net/ipv4/netfilter/Makefile                    |    1
   4  net/ipv4/netfilter/ipt_ipv4options.c           |  173 +++++++++++++++++++++++++
   5  4 files changed, 208 insertions(+)
   6
   7 diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux/include/linux/netfilter_ipv4/ipt_ipv4options.h
   8 --- linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h    1970-01-01 01:00:00.000000000 +0100
   9 +++ linux/include/linux/netfilter_ipv4/ipt_ipv4options.h        2006-05-04 10:14:44.000000000 +0200
  10 @@ -0,0 +1,21 @@
  11 +#ifndef __ipt_ipv4options_h_included__
  12 +#define __ipt_ipv4options_h_included__
  13 +
  14 +#define IPT_IPV4OPTION_MATCH_SSRR              0x01  /* For strict source routing */
  15 +#define IPT_IPV4OPTION_MATCH_LSRR              0x02  /* For loose source routing */
  16 +#define IPT_IPV4OPTION_DONT_MATCH_SRR          0x04  /* any source routing */
  17 +#define IPT_IPV4OPTION_MATCH_RR                        0x08  /* For Record route */
  18 +#define IPT_IPV4OPTION_DONT_MATCH_RR           0x10
  19 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP         0x20  /* For timestamp request */
  20 +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP    0x40
  21 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT      0x80  /* For router-alert */
  22 +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
  23 +#define IPT_IPV4OPTION_MATCH_ANY_OPT           0x200 /* match packet with any option */
  24 +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT      0x400 /* match packet with no option */
  25 +
  26 +struct ipt_ipv4options_info {
  27 +       u_int16_t options;
  28 +};
  29 +
  30 +
  31 +#endif /* __ipt_ipv4options_h_included__ */
  32 diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig
  33 --- linux.org/net/ipv4/netfilter/Kconfig        2006-05-02 23:38:44.000000000 +0200
  34 +++ linux/net/ipv4/netfilter/Kconfig    2006-05-04 10:14:44.000000000 +0200
  35 @@ -606,5 +606,18 @@
  36           Allows altering the ARP packet payload: source and destination
  37           hardware and network addresses.
  38
  39 +config IP_NF_MATCH_IPV4OPTIONS
  40 +       tristate  'IPV4OPTIONS match support'
  41 +       depends on IP_NF_IPTABLES
  42 +       help
  43 +         This option adds a IPV4OPTIONS match.
  44 +         It allows you to filter options like source routing,
  45 +         record route, timestamp and router-altert.
  46 +
  47 +         If you say Y here, try iptables -m ipv4options --help for more information.
  48 +
  49 +         If you want to compile it as a module, say M here and read
  50 +         Documentation/modules.txt.  If unsure, say `N'.
  51 +
  52  endmenu
  53
  54 diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile
  55 --- linux.org/net/ipv4/netfilter/Makefile       2006-05-02 23:38:44.000000000 +0200
  56 +++ linux/net/ipv4/netfilter/Makefile   2006-05-04 10:14:44.000000000 +0200
  57 @@ -0,0 +0,1 @@
  58 +obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
  59 diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linux/net/ipv4/netfilter/ipt_ipv4options.c
  60 --- linux.org/net/ipv4/netfilter/ipt_ipv4options.c      1970-01-01 01:00:00.000000000 +0100
  61 +++ linux/net/ipv4/netfilter/ipt_ipv4options.c  2006-05-04 10:14:44.000000000 +0200
  62 @@ -0,0 +1,173 @@
  63 +/*
  64 +  This is a module which is used to match ipv4 options.
  65 +  This file is distributed under the terms of the GNU General Public
  66 +  License (GPL). Copies of the GPL can be obtained from:
  67 +  ftp://prep.ai.mit.edu/pub/gnu/GPL
  68 +
  69 +  11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
  70 +  12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
  71 +  12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
  72 +  18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
  73 +  19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
  74 +*/
  75 +
  76 +#include <linux/module.h>
  77 +#include <linux/skbuff.h>
  78 +#include <net/ip.h>
  79 +
  80 +#include <linux/netfilter_ipv4/ip_tables.h>
  81 +#include <linux/netfilter_ipv4/ipt_ipv4options.h>
  82 +
  83 +MODULE_LICENSE("GPL");
  84 +MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
  85 +
  86 +static int
  87 +match(const struct sk_buff *skb,
  88 +      const struct net_device *in,
  89 +      const struct net_device *out,
  90 +      const void *matchinfo,
  91 +      int offset,
  92 +      unsigned int protoff,
  93 +      int *hotdrop)
  94 +{
  95 +       const struct ipt_ipv4options_info *info = matchinfo;   /* match info for rule */
  96 +       const struct iphdr *iph = skb->nh.iph;
  97 +       const struct ip_options *opt;
  98 +
  99 +       if (iph->ihl * 4 == sizeof(struct iphdr)) {
 100 +               /* No options, so we match only the "DONTs" and the "IGNOREs" */
 101 +
 102 +               if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
 103 +                   ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
 104 +                   ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
 105 +                   ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
 106 +                   ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
 107 +                    ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
 108 +                       return 0;
 109 +               return 1;
 110 +       }
 111 +       else {
 112 +               if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
 113 +                       /* there are options, and we don't need to care which one */
 114 +                       return 1;
 115 +               else {
 116 +                       if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
 117 +                               /* there are options but we don't want any ! */
 118 +                               return 0;
 119 +               }
 120 +       }
 121 +
 122 +       opt = &(IPCB(skb)->opt);
 123 +
 124 +       /* source routing */
 125 +       if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
 126 +               if (!((opt->srr) && (opt->is_strictroute)))
 127 +                       return 0;
 128 +       }
 129 +       else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
 130 +               if (!((opt->srr) && (!opt->is_strictroute)))
 131 +                       return 0;
 132 +       }
 133 +       else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
 134 +               if (opt->srr)
 135 +                       return 0;
 136 +       }
 137 +       /* record route */
 138 +       if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
 139 +               if (!opt->rr)
 140 +                       return 0;
 141 +       }
 142 +       else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
 143 +               if (opt->rr)
 144 +                       return 0;
 145 +       }
 146 +       /* timestamp */
 147 +       if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
 148 +               if (!opt->ts)
 149 +                       return 0;
 150 +       }
 151 +       else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
 152 +               if (opt->ts)
 153 +                       return 0;
 154 +       }
 155 +       /* router-alert option  */
 156 +       if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
 157 +               if (!opt->router_alert)
 158 +                       return 0;
 159 +       }
 160 +       else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
 161 +               if (opt->router_alert)
 162 +                       return 0;
 163 +       }
 164 +
 165 +       /* we match ! */
 166 +       return 1;
 167 +}
 168 +
 169 +static int
 170 +checkentry(const char *tablename,
 171 +          const struct ipt_ip *ip,
 172 +          void *matchinfo,
 173 +          unsigned int matchsize,
 174 +          unsigned int hook_mask)
 175 +{
 176 +       const struct ipt_ipv4options_info *info = matchinfo;   /* match info for rule */
 177 +       /* Check the size */
 178 +       if (matchsize != IPT_ALIGN(sizeof(struct ipt_ipv4options_info)))
 179 +               return 0;
 180 +       /* Now check the coherence of the data ... */
 181 +       if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
 182 +           (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
 183 +            ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
 184 +            ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
 185 +            ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
 186 +            ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
 187 +               return 0; /* opposites */
 188 +       if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
 189 +           (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
 190 +            ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
 191 +            ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
 192 +            ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
 193 +            ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
 194 +            ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
 195 +               return 0; /* opposites */
 196 +       if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
 197 +           ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
 198 +               return 0; /* cannot match in the same time loose and strict source routing */
 199 +       if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
 200 +            ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
 201 +           ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
 202 +               return 0; /* opposites */
 203 +       if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
 204 +           ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
 205 +               return 0; /* opposites */
 206 +       if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
 207 +           ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
 208 +               return 0; /* opposites */
 209 +       if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
 210 +           ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
 211 +               return 0; /* opposites */
 212 +
 213 +       /* everything looks ok. */
 214 +       return 1;
 215 +}
 216 +
 217 +static struct ipt_match ipv4options_match = {
 218 +       .name = "ipv4options",
 219 +       .match = match,
 220 +       .checkentry = checkentry,
 221 +       .me = THIS_MODULE
 222 +};
 223 +
 224 +static int __init init(void)
 225 +{
 226 +       return ipt_register_match(&ipv4options_match);
 227 +}
 228 +
 229 +static void __exit fini(void)
 230 +{
 231 +       ipt_unregister_match(&ipv4options_match);
 232 +}
 233 +
 234 +module_init(init);
 235 +module_exit(fini);