[packages/kernel.git] / kernel-pom-ng-ipv4options.patch

diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h
--- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h	2007-05-30 11:22:30.000000000 +0200
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+#define IPT_IPV4OPTION_MATCH_SSRR		0x01  /* For strict source routing */
+#define IPT_IPV4OPTION_MATCH_LSRR		0x02  /* For loose source routing */
+#define IPT_IPV4OPTION_DONT_MATCH_SRR		0x04  /* any source routing */
+#define IPT_IPV4OPTION_MATCH_RR			0x08  /* For Record route */
+#define IPT_IPV4OPTION_DONT_MATCH_RR		0x10
+#define IPT_IPV4OPTION_MATCH_TIMESTAMP		0x20  /* For timestamp request */
+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP	0x40
+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT	0x80  /* For router-alert */
+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT	0x100
+#define IPT_IPV4OPTION_MATCH_ANY_OPT		0x200 /* match packet with any option */
+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT	0x400 /* match packet with no option */
+
+struct ipt_ipv4options_info {
+	u_int16_t options;
+};
+
+
+#endif /* __ipt_ipv4options_h_included__ */
diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig	2007-05-30 11:18:08.000000000 +0200
+++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig	2007-05-30 11:22:30.000000000 +0200
@@ -678,5 +678,18 @@ config IP_NF_TARGET_IPV4OPTSSTRIP
 	  If you want to compile it as a module, say M here and read
 	  Documentation/modules.txt.  If unsure, say `N'.
 
+config IP_NF_MATCH_IPV4OPTIONS
+	tristate  'IPV4OPTIONS match support'
+	depends on IP_NF_IPTABLES
+	help
+	  This option adds a IPV4OPTIONS match.
+	  It allows you to filter options like source routing,
+	  record route, timestamp and router-altert.
+	
+	  If you say Y here, try iptables -m ipv4options --help for more information.
+	 
+	  If you want to compile it as a module, say M here and read
+	  Documentation/modules.txt.  If unsure, say `N'.
+
 endmenu
 
diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
--- linux-2.6.21.a/net/ipv4/netfilter/Makefile	2007-05-30 11:18:08.000000000 +0200
+++ linux-2.6.21.b/net/ipv4/netfilter/Makefile	2007-05-30 11:22:30.000000000 +0200
@@ -64,6 +64,8 @@
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 
+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
+
 # generic ARP tables
 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
 obj-$(CONFIG_IP_NF_ARP_MANGLE) += arpt_mangle.o
diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c
--- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c	2007-05-30 11:22:30.000000000 +0200
@@ -0,0 +1,176 @@
+/*
+  This is a module which is used to match ipv4 options.
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+  ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
+  12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
+  12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
+  18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
+  19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/ip.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_ipv4options.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
+
+static bool
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const struct xt_match *match,
+      const void *matchinfo,
+      int offset,
+      unsigned int protoff,
+      bool *hotdrop)
+{
+	const struct ipt_ipv4options_info *info = matchinfo;   /* match info for rule */
+	const struct iphdr *iph = ip_hdr(skb);
+	const struct ip_options *opt;
+
+	if (iph->ihl * 4 == sizeof(struct iphdr)) {
+		/* No options, so we match only the "DONTs" and the "IGNOREs" */
+
+		if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
+		    ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+		    ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
+		    ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
+		    ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+                    ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
+			return 0;
+		return 1;
+	}
+	else {
+		if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
+			/* there are options, and we don't need to care which one */
+			return 1;
+		else {
+			if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
+				/* there are options but we don't want any ! */
+				return 0;
+		}
+	}
+
+	opt = &(IPCB(skb)->opt);
+
+	/* source routing */
+	if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
+		if (!((opt->srr) && (opt->is_strictroute)))
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
+		if (!((opt->srr) && (!opt->is_strictroute)))
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
+		if (opt->srr)
+			return 0;
+	}
+	/* record route */
+	if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
+		if (!opt->rr)
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
+		if (opt->rr)
+			return 0;
+	}
+	/* timestamp */
+	if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
+		if (!opt->ts)
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
+		if (opt->ts)
+			return 0;
+	}
+	/* router-alert option  */
+	if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
+		if (!opt->router_alert)
+			return 0;
+	}
+	else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
+		if (opt->router_alert)
+			return 0;
+	}
+
+	/* we match ! */
+	return 1;
+}
+
+static bool
+checkentry(const char *tablename,
+	   const void *ip,
+	   const struct xt_match *match,
+	   void *matchinfo,
+	   unsigned int hook_mask)
+{
+	const struct ipt_ipv4options_info *info = matchinfo;   /* match info for rule */
+
+
+
+	/* Now check the coherence of the data ... */
+	if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
+	    (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
+	     ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
+	     ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
+	     ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
+	     ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
+	    (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
+	    ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
+		return 0; /* cannot match in the same time loose and strict source routing */
+	if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+	     ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
+	    ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
+	    ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
+	    ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
+		return 0; /* opposites */
+	if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
+	    ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
+		return 0; /* opposites */
+
+	/* everything looks ok. */
+	return 1;
+}
+
+static struct xt_match ipv4options_match = { 
+	.name = "ipv4options",
+	.family = AF_INET,
+	.match = match,
+	.matchsize = sizeof(struct ipt_ipv4options_info),
+	.checkentry = checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return xt_register_match(&ipv4options_match);
+}
+
+static void __exit fini(void)
+{
+	xt_unregister_match(&ipv4options_match);
+}
+
+module_init(init);
+module_exit(fini);
Commit	Line	Data
2380c486 JR	1	diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h
	2	--- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
	3	+++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h 2007-05-30 11:22:30.000000000 +0200
	4	@@ -0,0 +1,21 @@
	5	+#ifndef __ipt_ipv4options_h_included__
	6	+#define __ipt_ipv4options_h_included__
	7	+
	8	+#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
	9	+#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
	10	+#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
	11	+#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
	12	+#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
	13	+#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
	14	+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
	15	+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
	16	+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
	17	+#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
	18	+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
	19	+
	20	+struct ipt_ipv4options_info {
	21	+ u_int16_t options;
	22	+};
	23	+
	24	+
	25	+#endif /* __ipt_ipv4options_h_included__ */
	26	diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
	27	--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200
	28	+++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:22:30.000000000 +0200
	29	@@ -678,5 +678,18 @@ config IP_NF_TARGET_IPV4OPTSSTRIP
	30	If you want to compile it as a module, say M here and read
	31	Documentation/modules.txt. If unsure, say `N'.
	32
	33	+config IP_NF_MATCH_IPV4OPTIONS
	34	+ tristate 'IPV4OPTIONS match support'
	35	+ depends on IP_NF_IPTABLES
	36	+ help
	37	+ This option adds a IPV4OPTIONS match.
	38	+ It allows you to filter options like source routing,
	39	+ record route, timestamp and router-altert.
	40	+
	41	+ If you say Y here, try iptables -m ipv4options --help for more information.
	42	+
	43	+ If you want to compile it as a module, say M here and read
	44	+ Documentation/modules.txt. If unsure, say `N'.
	45	+
	46	endmenu
	47
	48	diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
	49	--- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:18:08.000000000 +0200
	50	+++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:22:30.000000000 +0200
	51	@@ -64,6 +64,8 @@
	52	obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
	53	obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
	54
	55	+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
	56	+
	57	# generic ARP tables
	58	obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
	59	obj-$(CONFIG_IP_NF_ARP_MANGLE) += arpt_mangle.o
	60	diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c
	61	--- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
	62	+++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c 2007-05-30 11:22:30.000000000 +0200
	63	@@ -0,0 +1,176 @@
	64	+/*
65	+ This is a module which is used to match ipv4 options.
66	+ This file is distributed under the terms of the GNU General Public
67	+ License (GPL). Copies of the GPL can be obtained from:
68	+ ftp://prep.ai.mit.edu/pub/gnu/GPL
69	+
70	+ 11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
71	+ 12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
72	+ 12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
73	+ 18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
74	+ 19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
75	+*/
76	+
77	+#include <linux/module.h>
78	+#include <linux/skbuff.h>
79	+#include <net/ip.h>
80	+#include <linux/netfilter/x_tables.h>
81	+#include <linux/netfilter_ipv4/ip_tables.h>
82	+#include <linux/netfilter_ipv4/ipt_ipv4options.h>
83	+
84	+MODULE_LICENSE("GPL");
85	+MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
86	+
87	+static bool
88	+match(const struct sk_buff *skb,
89	+ const struct net_device *in,
90	+ const struct net_device *out,
91	+ const struct xt_match *match,
92	+ const void *matchinfo,
93	+ int offset,
94	+ unsigned int protoff,
95	+ bool *hotdrop)
96	+{
97	+ const struct ipt_ipv4options_info info = matchinfo; / match info for rule */
98	+ const struct iphdr *iph = ip_hdr(skb);
99	+ const struct ip_options *opt;
100	+
101	+ if (iph->ihl * 4 == sizeof(struct iphdr)) {
102	+ /* No options, so we match only the "DONTs" and the "IGNOREs" */
103	+
104	+ if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) \|\|
105	+ ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) \|\|
106	+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) \|\|
107	+ ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) \|\|
108	+ ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) \|\|
109	+ ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
110	+ return 0;
111	+ return 1;
112	+ }
113	+ else {
114	+ if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
115	+ /* there are options, and we don't need to care which one */
116	+ return 1;
117	+ else {
118	+ if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
119	+ /* there are options but we don't want any ! */
120	+ return 0;
121	+ }
122	+ }
123	+
124	+ opt = &(IPCB(skb)->opt);
125	+
126	+ /* source routing */
127	+ if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
128	+ if (!((opt->srr) && (opt->is_strictroute)))
129	+ return 0;
130	+ }
131	+ else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
132	+ if (!((opt->srr) && (!opt->is_strictroute)))
133	+ return 0;
134	+ }
135	+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
136	+ if (opt->srr)
137	+ return 0;
138	+ }
139	+ /* record route */
140	+ if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
141	+ if (!opt->rr)
142	+ return 0;
143	+ }
144	+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
145	+ if (opt->rr)
146	+ return 0;
147	+ }
148	+ /* timestamp */
149	+ if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
150	+ if (!opt->ts)
151	+ return 0;
152	+ }
153	+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
154	+ if (opt->ts)
155	+ return 0;
156	+ }
157	+ /* router-alert option */
158	+ if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
159	+ if (!opt->router_alert)
160	+ return 0;
161	+ }
162	+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
163	+ if (opt->router_alert)
164	+ return 0;
165	+ }
166	+
167	+ /* we match ! */
168	+ return 1;
169	+}
170	+
171	+static bool
172	+checkentry(const char *tablename,
173	+ const void *ip,
174	+ const struct xt_match *match,
175	+ void *matchinfo,
176	+ unsigned int hook_mask)
177	+{
178	+ const struct ipt_ipv4options_info info = matchinfo; / match info for rule */
179	+
180	+
181	+
182	+ /* Now check the coherence of the data ... */
183	+ if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
184	+ (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) \|\|
185	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) \|\|
186	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) \|\|
187	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) \|\|
188	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
189	+ return 0; /* opposites */
190	+ if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
191	+ (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) \|\|
192	+ ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) \|\|
193	+ ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) \|\|
194	+ ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) \|\|
195	+ ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) \|\|
196	+ ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
197	+ return 0; /* opposites */
198	+ if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
199	+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
200	+ return 0; /* cannot match in the same time loose and strict source routing */
201	+ if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) \|\|
202	+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
203	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
204	+ return 0; /* opposites */
205	+ if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
206	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
207	+ return 0; /* opposites */
208	+ if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
209	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
210	+ return 0; /* opposites */
211	+ if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
212	+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
213	+ return 0; /* opposites */
214	+
215	+ /* everything looks ok. */
216	+ return 1;
217	+}
218	+
219	+static struct xt_match ipv4options_match = {
220	+ .name = "ipv4options",
221	+ .family = AF_INET,
222	+ .match = match,
223	+ .matchsize = sizeof(struct ipt_ipv4options_info),
224	+ .checkentry = checkentry,
225	+ .me = THIS_MODULE
226	+};
227	+
228	+static int __init init(void)
229	+{
230	+ return xt_register_match(&ipv4options_match);
231	+}
232	+
233	+static void __exit fini(void)
234	+{
235	+ xt_unregister_match(&ipv4options_match);
236	+}
237	+
238	+module_init(init);
239	+module_exit(fini);