- new

[packages/kernel.git] / kernel-pom-ng-ipv4options.patch

diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h
--- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipv4options.h       1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipv4options.h       2007-05-30 11:22:30.000000000 +0200
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+#define IPT_IPV4OPTION_MATCH_SSRR              0x01  /* For strict source routing */
+#define IPT_IPV4OPTION_MATCH_LSRR              0x02  /* For loose source routing */
+#define IPT_IPV4OPTION_DONT_MATCH_SRR          0x04  /* any source routing */
+#define IPT_IPV4OPTION_MATCH_RR                        0x08  /* For Record route */
+#define IPT_IPV4OPTION_DONT_MATCH_RR           0x10
+#define IPT_IPV4OPTION_MATCH_TIMESTAMP         0x20  /* For timestamp request */
+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP    0x40
+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT      0x80  /* For router-alert */
+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
+#define IPT_IPV4OPTION_MATCH_ANY_OPT           0x200 /* match packet with any option */
+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT      0x400 /* match packet with no option */
+
+struct ipt_ipv4options_info {
+       u_int16_t options;
+};
+
+
+#endif /* __ipt_ipv4options_h_included__ */
diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
--- linux-2.6.21.a/net/ipv4/netfilter/Kconfig   2007-05-30 11:18:08.000000000 +0200
+++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig   2007-05-30 11:22:30.000000000 +0200
@@ -678,5 +678,18 @@ config IP_NF_TARGET_IPV4OPTSSTRIP
          If you want to compile it as a module, say M here and read
          Documentation/modules.txt.  If unsure, say `N'.
 
+config IP_NF_MATCH_IPV4OPTIONS
+       tristate  'IPV4OPTIONS match support'
+       depends on IP_NF_IPTABLES
+       help
+         This option adds a IPV4OPTIONS match.
+         It allows you to filter options like source routing,
+         record route, timestamp and router-altert.
+       
+         If you say Y here, try iptables -m ipv4options --help for more information.
+        
+         If you want to compile it as a module, say M here and read
+         Documentation/modules.txt.  If unsure, say `N'.
+
 endmenu
 
diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
--- linux-2.6.21.a/net/ipv4/netfilter/Makefile  2007-05-30 11:18:08.000000000 +0200
+++ linux-2.6.21.b/net/ipv4/netfilter/Makefile  2007-05-30 11:22:30.000000000 +0200
@@ -64,6 +64,8 @@
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 
+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
+
 # generic ARP tables
 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
 obj-$(CONFIG_IP_NF_ARP_MANGLE) += arpt_mangle.o
diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c
--- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipv4options.c 2007-05-30 11:22:30.000000000 +0200
@@ -0,0 +1,176 @@
+/*
+  This is a module which is used to match ipv4 options.
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+  ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  11-mars-2001 Fabrice MARIE <fabrice@netfilter.org> : initial development.
+  12-july-2001 Fabrice MARIE <fabrice@netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
+  12-august-2001 Imran Patel <ipatel@crosswinds.net> : optimization of the match.
+  18-november-2001 Fabrice MARIE <fabrice@netfilter.org> : added [!] 'any' option match.
+  19-february-2004 Harald Welte <laforge@netfilter.org> : merge with 2.6.x
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/ip.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_ipv4options.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Fabrice Marie <fabrice@netfilter.org>");
+
+static bool
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const struct xt_match *match,
+      const void *matchinfo,
+      int offset,
+      unsigned int protoff,
+      bool *hotdrop)
+{
+       const struct ipt_ipv4options_info *info = matchinfo;   /* match info for rule */
+       const struct iphdr *iph = ip_hdr(skb);
+       const struct ip_options *opt;
+
+       if (iph->ihl * 4 == sizeof(struct iphdr)) {
+               /* No options, so we match only the "DONTs" and the "IGNOREs" */
+
+               if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
+                   ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+                   ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
+                   ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
+                   ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+                    ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
+                       return 0;
+               return 1;
+       }
+       else {
+               if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
+                       /* there are options, and we don't need to care which one */
+                       return 1;
+               else {
+                       if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
+                               /* there are options but we don't want any ! */
+                               return 0;
+               }
+       }
+
+       opt = &(IPCB(skb)->opt);
+
+       /* source routing */
+       if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
+               if (!((opt->srr) && (opt->is_strictroute)))
+                       return 0;
+       }
+       else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
+               if (!((opt->srr) && (!opt->is_strictroute)))
+                       return 0;
+       }
+       else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
+               if (opt->srr)
+                       return 0;
+       }
+       /* record route */
+       if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
+               if (!opt->rr)
+                       return 0;
+       }
+       else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
+               if (opt->rr)
+                       return 0;
+       }
+       /* timestamp */
+       if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
+               if (!opt->ts)
+                       return 0;
+       }
+       else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
+               if (opt->ts)
+                       return 0;
+       }
+       /* router-alert option  */
+       if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
+               if (!opt->router_alert)
+                       return 0;
+       }
+       else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
+               if (opt->router_alert)
+                       return 0;
+       }
+
+       /* we match ! */
+       return 1;
+}
+
+static bool
+checkentry(const char *tablename,
+          const void *ip,
+          const struct xt_match *match,
+          void *matchinfo,
+          unsigned int hook_mask)
+{
+       const struct ipt_ipv4options_info *info = matchinfo;   /* match info for rule */
+
+
+
+       /* Now check the coherence of the data ... */
+       if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
+           (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
+            ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
+            ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
+            ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
+            ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
+               return 0; /* opposites */
+       if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
+           (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
+            ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+            ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
+            ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+            ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
+            ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
+               return 0; /* opposites */
+       if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
+           ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
+               return 0; /* cannot match in the same time loose and strict source routing */
+       if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+            ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
+           ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
+               return 0; /* opposites */
+       if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
+           ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
+               return 0; /* opposites */
+       if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
+           ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
+               return 0; /* opposites */
+       if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
+           ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
+               return 0; /* opposites */
+
+       /* everything looks ok. */
+       return 1;
+}
+
+static struct xt_match ipv4options_match = { 
+       .name = "ipv4options",
+       .family = AF_INET,
+       .match = match,
+       .matchsize = sizeof(struct ipt_ipv4options_info),
+       .checkentry = checkentry,
+       .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+       return xt_register_match(&ipv4options_match);
+}
+
+static void __exit fini(void)
+{
+       xt_unregister_match(&ipv4options_match);
+}
+
+module_init(init);
+module_exit(fini);