]>
Commit | Line | Data |
---|---|---|
2380c486 JR |
1 | diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h |
2 | --- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100 | |
3 | +++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h 2007-05-30 11:22:30.000000000 +0200 | |
4 | @@ -0,0 +1,21 @@ | |
5 | +#ifndef __ipt_ipv4options_h_included__ | |
6 | +#define __ipt_ipv4options_h_included__ | |
7 | + | |
8 | +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */ | |
9 | +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */ | |
10 | +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */ | |
11 | +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */ | |
12 | +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10 | |
13 | +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */ | |
14 | +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40 | |
15 | +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */ | |
16 | +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100 | |
17 | +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */ | |
18 | +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */ | |
19 | + | |
20 | +struct ipt_ipv4options_info { | |
21 | + u_int16_t options; | |
22 | +}; | |
23 | + | |
24 | + | |
25 | +#endif /* __ipt_ipv4options_h_included__ */ | |
26 | diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig | |
27 | --- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200 | |
28 | +++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:22:30.000000000 +0200 | |
29 | @@ -678,5 +678,18 @@ config IP_NF_TARGET_IPV4OPTSSTRIP | |
30 | If you want to compile it as a module, say M here and read | |
31 | Documentation/modules.txt. If unsure, say `N'. | |
32 | ||
33 | +config IP_NF_MATCH_IPV4OPTIONS | |
34 | + tristate 'IPV4OPTIONS match support' | |
35 | + depends on IP_NF_IPTABLES | |
36 | + help | |
37 | + This option adds a IPV4OPTIONS match. | |
38 | + It allows you to filter options like source routing, | |
39 | + record route, timestamp and router-altert. | |
40 | + | |
41 | + If you say Y here, try iptables -m ipv4options --help for more information. | |
42 | + | |
43 | + If you want to compile it as a module, say M here and read | |
44 | + Documentation/modules.txt. If unsure, say `N'. | |
45 | + | |
46 | endmenu | |
47 | ||
48 | diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile | |
49 | --- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:18:08.000000000 +0200 | |
50 | +++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:22:30.000000000 +0200 | |
51 | @@ -64,6 +64,8 @@ | |
52 | obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o | |
53 | obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o | |
54 | ||
55 | +obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o | |
56 | + | |
57 | # generic ARP tables | |
58 | obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o | |
59 | obj-$(CONFIG_IP_NF_ARP_MANGLE) += arpt_mangle.o | |
60 | diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c | |
61 | --- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100 | |
62 | +++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c 2007-05-30 11:22:30.000000000 +0200 | |
63 | @@ -0,0 +1,176 @@ | |
64 | +/* | |
65 | + This is a module which is used to match ipv4 options. | |
66 | + This file is distributed under the terms of the GNU General Public | |
67 | + License (GPL). Copies of the GPL can be obtained from: | |
68 | + ftp://prep.ai.mit.edu/pub/gnu/GPL | |
69 | + | |
70 | + 11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development. | |
71 | + 12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr | |
72 | + 12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match. | |
73 | + 18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match. | |
74 | + 19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x | |
75 | +*/ | |
76 | + | |
77 | +#include <linux/module.h> | |
78 | +#include <linux/skbuff.h> | |
79 | +#include <net/ip.h> | |
80 | +#include <linux/netfilter/x_tables.h> | |
81 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
82 | +#include <linux/netfilter_ipv4/ipt_ipv4options.h> | |
83 | + | |
84 | +MODULE_LICENSE("GPL"); | |
85 | +MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>"); | |
86 | + | |
87 | +static bool | |
88 | +match(const struct sk_buff *skb, | |
89 | + const struct net_device *in, | |
90 | + const struct net_device *out, | |
91 | + const struct xt_match *match, | |
92 | + const void *matchinfo, | |
93 | + int offset, | |
94 | + unsigned int protoff, | |
95 | + bool *hotdrop) | |
96 | +{ | |
97 | + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */ | |
98 | + const struct iphdr *iph = ip_hdr(skb); | |
99 | + const struct ip_options *opt; | |
100 | + | |
101 | + if (iph->ihl * 4 == sizeof(struct iphdr)) { | |
102 | + /* No options, so we match only the "DONTs" and the "IGNOREs" */ | |
103 | + | |
104 | + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) || | |
105 | + ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) || | |
106 | + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) || | |
107 | + ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) || | |
108 | + ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) || | |
109 | + ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT)) | |
110 | + return 0; | |
111 | + return 1; | |
112 | + } | |
113 | + else { | |
114 | + if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) | |
115 | + /* there are options, and we don't need to care which one */ | |
116 | + return 1; | |
117 | + else { | |
118 | + if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) | |
119 | + /* there are options but we don't want any ! */ | |
120 | + return 0; | |
121 | + } | |
122 | + } | |
123 | + | |
124 | + opt = &(IPCB(skb)->opt); | |
125 | + | |
126 | + /* source routing */ | |
127 | + if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) { | |
128 | + if (!((opt->srr) && (opt->is_strictroute))) | |
129 | + return 0; | |
130 | + } | |
131 | + else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) { | |
132 | + if (!((opt->srr) && (!opt->is_strictroute))) | |
133 | + return 0; | |
134 | + } | |
135 | + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) { | |
136 | + if (opt->srr) | |
137 | + return 0; | |
138 | + } | |
139 | + /* record route */ | |
140 | + if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) { | |
141 | + if (!opt->rr) | |
142 | + return 0; | |
143 | + } | |
144 | + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) { | |
145 | + if (opt->rr) | |
146 | + return 0; | |
147 | + } | |
148 | + /* timestamp */ | |
149 | + if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) { | |
150 | + if (!opt->ts) | |
151 | + return 0; | |
152 | + } | |
153 | + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) { | |
154 | + if (opt->ts) | |
155 | + return 0; | |
156 | + } | |
157 | + /* router-alert option */ | |
158 | + if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) { | |
159 | + if (!opt->router_alert) | |
160 | + return 0; | |
161 | + } | |
162 | + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) { | |
163 | + if (opt->router_alert) | |
164 | + return 0; | |
165 | + } | |
166 | + | |
167 | + /* we match ! */ | |
168 | + return 1; | |
169 | +} | |
170 | + | |
171 | +static bool | |
172 | +checkentry(const char *tablename, | |
173 | + const void *ip, | |
174 | + const struct xt_match *match, | |
175 | + void *matchinfo, | |
176 | + unsigned int hook_mask) | |
177 | +{ | |
178 | + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */ | |
179 | + | |
180 | + | |
181 | + | |
182 | + /* Now check the coherence of the data ... */ | |
183 | + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) && | |
184 | + (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) || | |
185 | + ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) || | |
186 | + ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) || | |
187 | + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) || | |
188 | + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT))) | |
189 | + return 0; /* opposites */ | |
190 | + if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) && | |
191 | + (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) || | |
192 | + ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) || | |
193 | + ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) || | |
194 | + ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) || | |
195 | + ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) || | |
196 | + ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT))) | |
197 | + return 0; /* opposites */ | |
198 | + if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) && | |
199 | + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) | |
200 | + return 0; /* cannot match in the same time loose and strict source routing */ | |
201 | + if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) || | |
202 | + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) && | |
203 | + ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR)) | |
204 | + return 0; /* opposites */ | |
205 | + if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) && | |
206 | + ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR)) | |
207 | + return 0; /* opposites */ | |
208 | + if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) && | |
209 | + ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)) | |
210 | + return 0; /* opposites */ | |
211 | + if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) && | |
212 | + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)) | |
213 | + return 0; /* opposites */ | |
214 | + | |
215 | + /* everything looks ok. */ | |
216 | + return 1; | |
217 | +} | |
218 | + | |
219 | +static struct xt_match ipv4options_match = { | |
220 | + .name = "ipv4options", | |
221 | + .family = AF_INET, | |
222 | + .match = match, | |
223 | + .matchsize = sizeof(struct ipt_ipv4options_info), | |
224 | + .checkentry = checkentry, | |
225 | + .me = THIS_MODULE | |
226 | +}; | |
227 | + | |
228 | +static int __init init(void) | |
229 | +{ | |
230 | + return xt_register_match(&ipv4options_match); | |
231 | +} | |
232 | + | |
233 | +static void __exit fini(void) | |
234 | +{ | |
235 | + xt_unregister_match(&ipv4options_match); | |
236 | +} | |
237 | + | |
238 | +module_init(init); | |
239 | +module_exit(fini); |