1 include/linux/netfilter_ipv4/ipt_ipv4options.h | 21 +++
2 net/ipv4/netfilter/Kconfig | 13 +
3 net/ipv4/netfilter/Makefile | 1
4 net/ipv4/netfilter/ipt_ipv4options.c | 173 +++++++++++++++++++++++++
5 4 files changed, 208 insertions(+)
7 diff -Nur --exclude '*.orig' linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux/include/linux/netfilter_ipv4/ipt_ipv4options.h
8 --- linux.org/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
9 +++ linux/include/linux/netfilter_ipv4/ipt_ipv4options.h 2006-05-04 10:14:44.000000000 +0200
11 +#ifndef __ipt_ipv4options_h_included__
12 +#define __ipt_ipv4options_h_included__
14 +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
15 +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
16 +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
17 +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
18 +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
19 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
20 +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
21 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
22 +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
23 +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
24 +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
26 +struct ipt_ipv4options_info {
31 +#endif /* __ipt_ipv4options_h_included__ */
32 diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig
33 --- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200
34 +++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:14:44.000000000 +0200
36 Allows altering the ARP packet payload: source and destination
37 hardware and network addresses.
39 +config IP_NF_MATCH_IPV4OPTIONS
40 + tristate 'IPV4OPTIONS match support'
41 + depends on IP_NF_IPTABLES
43 + This option adds a IPV4OPTIONS match.
44 + It allows you to filter options like source routing,
45 + record route, timestamp and router-altert.
47 + If you say Y here, try iptables -m ipv4options --help for more information.
49 + If you want to compile it as a module, say M here and read
50 + Documentation/modules.txt. If unsure, say `N'.
54 diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile
55 --- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200
56 +++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:14:44.000000000 +0200
58 +obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
59 diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_ipv4options.c linux/net/ipv4/netfilter/ipt_ipv4options.c
60 --- linux.org/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
61 +++ linux/net/ipv4/netfilter/ipt_ipv4options.c 2006-05-04 10:14:44.000000000 +0200
64 + This is a module which is used to match ipv4 options.
65 + This file is distributed under the terms of the GNU General Public
66 + License (GPL). Copies of the GPL can be obtained from:
67 + ftp://prep.ai.mit.edu/pub/gnu/GPL
69 + 11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
70 + 12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
71 + 12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
72 + 18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
73 + 19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
76 +#include <linux/module.h>
77 +#include <linux/skbuff.h>
80 +#include <linux/netfilter_ipv4/ip_tables.h>
81 +#include <linux/netfilter_ipv4/ipt_ipv4options.h>
83 +MODULE_LICENSE("GPL");
84 +MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
87 +match(const struct sk_buff *skb,
88 + const struct net_device *in,
89 + const struct net_device *out,
90 + const void *matchinfo,
92 + unsigned int protoff,
95 + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
96 + const struct iphdr *iph = skb->nh.iph;
97 + const struct ip_options *opt;
99 + if (iph->ihl * 4 == sizeof(struct iphdr)) {
100 + /* No options, so we match only the "DONTs" and the "IGNOREs" */
102 + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
103 + ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
104 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
105 + ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
106 + ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
107 + ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
112 + if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
113 + /* there are options, and we don't need to care which one */
116 + if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
117 + /* there are options but we don't want any ! */
122 + opt = &(IPCB(skb)->opt);
124 + /* source routing */
125 + if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
126 + if (!((opt->srr) && (opt->is_strictroute)))
129 + else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
130 + if (!((opt->srr) && (!opt->is_strictroute)))
133 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
138 + if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
142 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
147 + if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
151 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
155 + /* router-alert option */
156 + if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
157 + if (!opt->router_alert)
160 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
161 + if (opt->router_alert)
170 +checkentry(const char *tablename,
171 + const struct ipt_ip *ip,
173 + unsigned int matchsize,
174 + unsigned int hook_mask)
176 + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
177 + /* Check the size */
178 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_ipv4options_info)))
180 + /* Now check the coherence of the data ... */
181 + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
182 + (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
183 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
184 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
185 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
186 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
187 + return 0; /* opposites */
188 + if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
189 + (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
190 + ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
191 + ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
192 + ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
193 + ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
194 + ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
195 + return 0; /* opposites */
196 + if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
197 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
198 + return 0; /* cannot match in the same time loose and strict source routing */
199 + if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
200 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
201 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
202 + return 0; /* opposites */
203 + if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
204 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
205 + return 0; /* opposites */
206 + if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
207 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
208 + return 0; /* opposites */
209 + if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
210 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
211 + return 0; /* opposites */
213 + /* everything looks ok. */
217 +static struct ipt_match ipv4options_match = {
218 + .name = "ipv4options",
220 + .checkentry = checkentry,
224 +static int __init init(void)
226 + return ipt_register_match(&ipv4options_match);
229 +static void __exit fini(void)
231 + ipt_unregister_match(&ipv4options_match);