From: Stephen Suryaputra Date: Thu, 20 Jun 2019 11:54:29 +0000 (-0400) Subject: src: add support for matching IPv4 options X-Git-Tag: libnftnl-1.1.4~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60d9378df4e9c7324392e76b0408b6dda6e8bc1c;p=thirdparty%2Flibnftnl.git src: add support for matching IPv4 options Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra Signed-off-by: Pablo Neira Ayuso --- diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 38f74e42..5b1c380c 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -729,10 +729,12 @@ enum nft_exthdr_flags { * * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers * @NFT_EXTHDR_OP_TCP: match against tcp options + * @NFT_EXTHDR_OP_IPV4: match against ipv4 options */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, + NFT_EXTHDR_OP_IPV4, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c index bef453e0..e5f714b0 100644 --- a/src/expr/exthdr.c +++ b/src/expr/exthdr.c @@ -200,6 +200,9 @@ static const char *op2str(uint8_t op) case NFT_EXTHDR_OP_TCPOPT: return " tcpopt"; case NFT_EXTHDR_OP_IPV6: + return " ipv6"; + case NFT_EXTHDR_OP_IPV4: + return " ipv4"; default: return ""; } @@ -209,6 +212,8 @@ static inline int str2exthdr_op(const char* str) { if (!strcmp(str, "tcpopt")) return NFT_EXTHDR_OP_TCPOPT; + if (!strcmp(str, "ipv4")) + return NFT_EXTHDR_OP_IPV4; /* if str == "ipv6" or anything else */ return NFT_EXTHDR_OP_IPV6;