- up to 5.11.8

[packages/kernel.git] / kernel-pom-ng-IPV4OPTSSTRIP.patch

diff -ur linux-5.9/net/ipv4/netfilter.org/Kconfig linux-5.9/net/ipv4/netfilter/Kconfig
--- linux-5.9/net/ipv4/netfilter.org/Kconfig    2020-10-11 23:15:50.000000000 +0200
+++ linux-5.9/net/ipv4/netfilter/Kconfig        2020-11-03 13:07:22.874511004 +0100
@@ -356,5 +356,15 @@
 
 endif # IP_NF_ARPTABLES
 
+config IP_NF_TARGET_IPV4OPTSSTRIP
+       tristate  'IPV4OPTSSTRIP target support'
+       depends on IP_NF_MANGLE
+       help
+         This option adds an IPV4OPTSSTRIP target.
+         This target allows you to strip all IP options in a packet.
+        
+         If you want to compile it as a module, say M here and read
+         Documentation/modules.txt.  If unsure, say `N'.
+
 endmenu
 
diff -ur linux-5.9/net/ipv4/netfilter.org/Makefile linux-5.9/net/ipv4/netfilter/Makefile
--- linux-5.9/net/ipv4/netfilter.org/Makefile   2020-10-11 23:15:50.000000000 +0200
+++ linux-5.9/net/ipv4/netfilter/Makefile       2020-11-03 13:07:22.874511004 +0100
@@ -48,6 +48,7 @@
 # targets
 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
+obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
 obj-$(CONFIG_IP_NF_TARGET_SYNPROXY) += ipt_SYNPROXY.o
 
diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
--- linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c       1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c       2007-05-30 11:18:08.000000000 +0200
@@ -0,0 +1,75 @@
+/**
+ * Strip all IP options in the IP packet header.
+ *
+ * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
+ * This software is distributed under GNU GPL v2, 1991
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/ip.h>
+#include <net/checksum.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");
+MODULE_DESCRIPTION("Strip all options in IPv4 packets");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff *skb, const struct xt_action_param *par)
+{
+       struct iphdr *iph;
+       struct ip_options *opt;
+       unsigned char *optiph;
+       int l;
+       
+       if (skb_ensure_writable(skb, skb->len))
+               return NF_DROP;
+ 
+       iph = ip_hdr(skb);
+
+       /* if no options in packet then nothing to clear. */
+       if (iph->ihl * 4 == sizeof(struct iphdr))
+               return XT_CONTINUE;
+
+       /* else clear all options */
+       optiph = skb_network_header(skb);
+       l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
+       memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+       memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
+       opt = &(IPCB(skb)->opt);
+       opt->optlen = l;
+
+       return XT_CONTINUE;
+}
+
+static int
+checkentry(const struct xt_tgchk_param *par)
+{
+       if (strcmp(par->table, "mangle")) {
+               printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", par->table);
+               return 0;
+       }
+       /* nothing else to check because no parameters */
+       return 1;
+}
+
+static struct xt_target ipt_ipv4optsstrip_reg = { 
+       .name = "IPV4OPTSSTRIP",
+       .target = target,
+       .checkentry = checkentry,
+       .me = THIS_MODULE };
+
+static int __init init(void)
+{
+       return xt_register_target(&ipt_ipv4optsstrip_reg);
+}
+
+static void __exit fini(void)
+{
+       xt_unregister_target(&ipt_ipv4optsstrip_reg);
+}
+
+module_init(init);
+module_exit(fini);