1 diff -ur linux-5.9/net/ipv4/netfilter.org/Kconfig linux-5.9/net/ipv4/netfilter/Kconfig
2 --- linux-5.9/net/ipv4/netfilter.org/Kconfig 2020-10-11 23:15:50.000000000 +0200
3 +++ linux-5.9/net/ipv4/netfilter/Kconfig 2020-11-03 13:07:22.874511004 +0100
6 endif # IP_NF_ARPTABLES
8 +config IP_NF_TARGET_IPV4OPTSSTRIP
9 + tristate 'IPV4OPTSSTRIP target support'
10 + depends on IP_NF_MANGLE
12 + This option adds an IPV4OPTSSTRIP target.
13 + This target allows you to strip all IP options in a packet.
15 + If you want to compile it as a module, say M here and read
16 + Documentation/modules.txt. If unsure, say `N'.
20 diff -ur linux-5.9/net/ipv4/netfilter.org/Makefile linux-5.9/net/ipv4/netfilter/Makefile
21 --- linux-5.9/net/ipv4/netfilter.org/Makefile 2020-10-11 23:15:50.000000000 +0200
22 +++ linux-5.9/net/ipv4/netfilter/Makefile 2020-11-03 13:07:22.874511004 +0100
25 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
26 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
27 +obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
28 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
29 obj-$(CONFIG_IP_NF_TARGET_SYNPROXY) += ipt_SYNPROXY.o
31 diff -NurpP --minimal linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
32 --- linux-2.6.21.b/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100
33 +++ linux-2.6.21.a/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2007-05-30 11:18:08.000000000 +0200
36 + * Strip all IP options in the IP packet header.
38 + * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
39 + * This software is distributed under GNU GPL v2, 1991
42 +#include <linux/module.h>
43 +#include <linux/skbuff.h>
45 +#include <net/checksum.h>
46 +#include <linux/netfilter/x_tables.h>
47 +#include <linux/netfilter_ipv4/ip_tables.h>
49 +MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");
50 +MODULE_DESCRIPTION("Strip all options in IPv4 packets");
51 +MODULE_LICENSE("GPL");
54 +target(struct sk_buff *skb, const struct xt_action_param *par)
57 + struct ip_options *opt;
58 + unsigned char *optiph;
61 + if (skb_ensure_writable(skb, skb->len))
66 + /* if no options in packet then nothing to clear. */
67 + if (iph->ihl * 4 == sizeof(struct iphdr))
70 + /* else clear all options */
71 + optiph = skb_network_header(skb);
72 + l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
73 + memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
74 + memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
75 + opt = &(IPCB(skb)->opt);
82 +checkentry(const struct xt_tgchk_param *par)
84 + if (strcmp(par->table, "mangle")) {
85 + printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", par->table);
88 + /* nothing else to check because no parameters */
92 +static struct xt_target ipt_ipv4optsstrip_reg = {
93 + .name = "IPV4OPTSSTRIP",
95 + .checkentry = checkentry,
96 + .me = THIS_MODULE };
98 +static int __init init(void)
100 + return xt_register_target(&ipt_ipv4optsstrip_reg);
103 +static void __exit fini(void)
105 + xt_unregister_target(&ipt_ipv4optsstrip_reg);