1 diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h
2 --- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
3 +++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h 2007-05-30 11:22:30.000000000 +0200
5 +#ifndef __ipt_ipv4options_h_included__
6 +#define __ipt_ipv4options_h_included__
8 +#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
9 +#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
10 +#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
11 +#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
12 +#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
13 +#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
14 +#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
15 +#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
16 +#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
17 +#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
18 +#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
20 +struct ipt_ipv4options_info {
25 +#endif /* __ipt_ipv4options_h_included__ */
26 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
27 --- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:18:08.000000000 +0200
28 +++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:22:30.000000000 +0200
29 @@ -678,5 +678,18 @@ config IP_NF_TARGET_IPV4OPTSSTRIP
30 If you want to compile it as a module, say M here and read
31 Documentation/modules.txt. If unsure, say `N'.
33 +config IP_NF_MATCH_IPV4OPTIONS
34 + tristate 'IPV4OPTIONS match support'
35 + depends on IP_NF_IPTABLES
37 + This option adds a IPV4OPTIONS match.
38 + It allows you to filter options like source routing,
39 + record route, timestamp and router-altert.
41 + If you say Y here, try iptables -m ipv4options --help for more information.
43 + If you want to compile it as a module, say M here and read
44 + Documentation/modules.txt. If unsure, say `N'.
48 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
49 --- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:18:08.000000000 +0200
50 +++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:22:30.000000000 +0200
52 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
53 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
55 +obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
58 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
59 obj-$(CONFIG_IP_NF_ARP_MANGLE) += arpt_mangle.o
60 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c
61 --- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
62 +++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c 2007-05-30 11:22:30.000000000 +0200
65 + This is a module which is used to match ipv4 options.
66 + This file is distributed under the terms of the GNU General Public
67 + License (GPL). Copies of the GPL can be obtained from:
68 + ftp://prep.ai.mit.edu/pub/gnu/GPL
70 + 11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
71 + 12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
72 + 12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
73 + 18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
74 + 19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
77 +#include <linux/module.h>
78 +#include <linux/skbuff.h>
80 +#include <linux/netfilter/x_tables.h>
81 +#include <linux/netfilter_ipv4/ip_tables.h>
82 +#include <linux/netfilter_ipv4/ipt_ipv4options.h>
84 +MODULE_LICENSE("GPL");
85 +MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
88 +match(const struct sk_buff *skb,
89 + const struct net_device *in,
90 + const struct net_device *out,
91 + const struct xt_match *match,
92 + const void *matchinfo,
94 + unsigned int protoff,
97 + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
98 + const struct iphdr *iph = ip_hdr(skb);
99 + const struct ip_options *opt;
101 + if (iph->ihl * 4 == sizeof(struct iphdr)) {
102 + /* No options, so we match only the "DONTs" and the "IGNOREs" */
104 + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
105 + ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
106 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
107 + ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
108 + ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
109 + ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
114 + if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
115 + /* there are options, and we don't need to care which one */
118 + if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
119 + /* there are options but we don't want any ! */
124 + opt = &(IPCB(skb)->opt);
126 + /* source routing */
127 + if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
128 + if (!((opt->srr) && (opt->is_strictroute)))
131 + else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
132 + if (!((opt->srr) && (!opt->is_strictroute)))
135 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
140 + if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
144 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
149 + if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
153 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
157 + /* router-alert option */
158 + if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
159 + if (!opt->router_alert)
162 + else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
163 + if (opt->router_alert)
172 +checkentry(const char *tablename,
174 + const struct xt_match *match,
176 + unsigned int hook_mask)
178 + const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
182 + /* Now check the coherence of the data ... */
183 + if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
184 + (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
185 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
186 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
187 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
188 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
189 + return 0; /* opposites */
190 + if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
191 + (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
192 + ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
193 + ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
194 + ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
195 + ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
196 + ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
197 + return 0; /* opposites */
198 + if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
199 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
200 + return 0; /* cannot match in the same time loose and strict source routing */
201 + if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
202 + ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
203 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
204 + return 0; /* opposites */
205 + if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
206 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
207 + return 0; /* opposites */
208 + if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
209 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
210 + return 0; /* opposites */
211 + if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
212 + ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
213 + return 0; /* opposites */
215 + /* everything looks ok. */
219 +static struct xt_match ipv4options_match = {
220 + .name = "ipv4options",
223 + .matchsize = sizeof(struct ipt_ipv4options_info),
224 + .checkentry = checkentry,
228 +static int __init init(void)
230 + return xt_register_match(&ipv4options_match);
233 +static void __exit fini(void)
235 + xt_unregister_match(&ipv4options_match);