netfilter-2.6/patch-o-matic-ng/trunk: include/linux/netfilter_ipv4/ipt_ipv4options.h
net/ipv4/netfil...
pluto
cvs at pld-linux.org
Thu Jul 28 10:15:58 CEST 2005
Author: pluto
Date: Thu Jul 28 10:15:49 2005
New Revision: 6245
Added:
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_ipv4options.h
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_ipv4options.c
Modified:
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
netfilter-2.6/patch-o-matic-ng/trunk/status
Log:
- ip4options, IPV4OPTSSTRIP.
Added: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_ipv4options.h
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_ipv4options.h Thu Jul 28 10:15:49 2005
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+#define IPT_IPV4OPTION_MATCH_SSRR 0x01 /* For strict source routing */
+#define IPT_IPV4OPTION_MATCH_LSRR 0x02 /* For loose source routing */
+#define IPT_IPV4OPTION_DONT_MATCH_SRR 0x04 /* any source routing */
+#define IPT_IPV4OPTION_MATCH_RR 0x08 /* For Record route */
+#define IPT_IPV4OPTION_DONT_MATCH_RR 0x10
+#define IPT_IPV4OPTION_MATCH_TIMESTAMP 0x20 /* For timestamp request */
+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP 0x40
+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT 0x80 /* For router-alert */
+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT 0x100
+#define IPT_IPV4OPTION_MATCH_ANY_OPT 0x200 /* match packet with any option */
+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT 0x400 /* match packet with no option */
+
+struct ipt_ipv4options_info {
+ u_int16_t options;
+};
+
+
+#endif /* __ipt_ipv4options_h_included__ */
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig Thu Jul 28 10:15:49 2005
@@ -795,5 +795,28 @@
default IP_NF_NAT if IP_NF_CT_PROTO_GRE=y
default m if IP_NF_CT_PROTO_GRE=m
+config IP_NF_MATCH_IPV4OPTIONS
+ tristate 'IPV4OPTIONS match support'
+ depends on IP_NF_IPTABLES
+ help
+ This option adds a IPV4OPTIONS match.
+ It allows you to filter options like source routing,
+ record route, timestamp and router-altert.
+
+ If you say Y here, try iptables -m ipv4options --help for more information.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
+config IP_NF_TARGET_IPV4OPTSSTRIP
+ tristate 'IPV4OPTSSTRIP target support'
+ depends on IP_NF_MANGLE
+ help
+ This option adds an IPV4OPTSSTRIP target.
+ This target allows you to strip all IP options in a packet.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
endmenu
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile Thu Jul 28 10:15:49 2005
@@ -60,6 +60,9 @@
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
+
+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
+
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
@@ -88,6 +91,7 @@
obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c Thu Jul 28 10:15:49 2005
@@ -0,0 +1,89 @@
+/**
+ * Strip all IP options in the IP packet header.
+ *
+ * (C) 2001 by Fabrice MARIE <fabrice at netfilter.org>
+ * This software is distributed under GNU GPL v2, 1991
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_AUTHOR("Fabrice MARIE <fabrice at netfilter.org>");
+MODULE_DESCRIPTION("Strip all options in IPv4 packets");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ unsigned int hooknum,
+ const void *targinfo,
+ void *userinfo)
+{
+ struct iphdr *iph;
+ struct sk_buff *skb;
+ struct ip_options *opt;
+ unsigned char *optiph;
+ int l;
+
+ if (!skb_ip_make_writable(pskb, (*pskb)->len))
+ return NF_DROP;
+
+ skb = (*pskb);
+ iph = (*pskb)->nh.iph;
+ optiph = skb->nh.raw;
+ l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
+
+ /* if no options in packet then nothing to clear. */
+ if (iph->ihl * 4 == sizeof(struct iphdr))
+ return IPT_CONTINUE;
+
+ /* else clear all options */
+ memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+ memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
+ opt = &(IPCB(skb)->opt);
+ opt->is_data = 0;
+ opt->optlen = l;
+
+ skb->nfcache |= NFC_ALTERED;
+
+ return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_entry *e,
+ void *targinfo,
+ unsigned int targinfosize,
+ unsigned int hook_mask)
+{
+ if (strcmp(tablename, "mangle")) {
+ printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+ return 0;
+ }
+ /* nothing else to check because no parameters */
+ return 1;
+}
+
+static struct ipt_target ipt_ipv4optsstrip_reg = {
+ .name = "IPV4OPTSSTRIP",
+ .target = target,
+ .checkentry = checkentry,
+ .me = THIS_MODULE };
+
+static int __init init(void)
+{
+ return ipt_register_target(&ipt_ipv4optsstrip_reg);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_target(&ipt_ipv4optsstrip_reg);
+}
+
+module_init(init);
+module_exit(fini);
Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_ipv4options.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_ipv4options.c Thu Jul 28 10:15:49 2005
@@ -0,0 +1,172 @@
+/*
+ This is a module which is used to match ipv4 options.
+ This file is distributed under the terms of the GNU General Public
+ License (GPL). Copies of the GPL can be obtained from:
+ ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+ 11-mars-2001 Fabrice MARIE <fabrice at netfilter.org> : initial development.
+ 12-july-2001 Fabrice MARIE <fabrice at netfilter.org> : added router-alert otions matching. Fixed a bug with no-srr
+ 12-august-2001 Imran Patel <ipatel at crosswinds.net> : optimization of the match.
+ 18-november-2001 Fabrice MARIE <fabrice at netfilter.org> : added [!] 'any' option match.
+ 19-february-2004 Harald Welte <laforge at netfilter.org> : merge with 2.6.x
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/ip.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_ipv4options.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Fabrice Marie <fabrice at netfilter.org>");
+
+static int
+match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset,
+ int *hotdrop)
+{
+ const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
+ const struct iphdr *iph = skb->nh.iph;
+ const struct ip_options *opt;
+
+ if (iph->ihl * 4 == sizeof(struct iphdr)) {
+ /* No options, so we match only the "DONTs" and the "IGNOREs" */
+
+ if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
+ return 0;
+ return 1;
+ }
+ else {
+ if ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)
+ /* there are options, and we don't need to care which one */
+ return 1;
+ else {
+ if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
+ /* there are options but we don't want any ! */
+ return 0;
+ }
+ }
+
+ opt = &(IPCB(skb)->opt);
+
+ /* source routing */
+ if ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) {
+ if (!((opt->srr) & (opt->is_strictroute)))
+ return 0;
+ }
+ else if ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) {
+ if (!((opt->srr) & (!opt->is_strictroute)))
+ return 0;
+ }
+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) {
+ if (opt->srr)
+ return 0;
+ }
+ /* record route */
+ if ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) {
+ if (!opt->rr)
+ return 0;
+ }
+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) {
+ if (opt->rr)
+ return 0;
+ }
+ /* timestamp */
+ if ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) {
+ if (!opt->ts)
+ return 0;
+ }
+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) {
+ if (opt->ts)
+ return 0;
+ }
+ /* router-alert option */
+ if ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) {
+ if (!opt->router_alert)
+ return 0;
+ }
+ else if ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) {
+ if (opt->router_alert)
+ return 0;
+ }
+
+ /* we match ! */
+ return 1;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_ip *ip,
+ void *matchinfo,
+ unsigned int matchsize,
+ unsigned int hook_mask)
+{
+ const struct ipt_ipv4options_info *info = matchinfo; /* match info for rule */
+ /* Check the size */
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_ipv4options_info)))
+ return 0;
+ /* Now check the coherence of the data ... */
+ if (((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT) &&
+ (((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR) ||
+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR) ||
+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) ||
+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)))
+ return 0; /* opposites */
+ if (((info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) == IPT_IPV4OPTION_DONT_MATCH_ANY_OPT) &&
+ (((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_ANY_OPT) == IPT_IPV4OPTION_MATCH_ANY_OPT)))
+ return 0; /* opposites */
+ if (((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) &&
+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR))
+ return 0; /* cannot match in the same time loose and strict source routing */
+ if ((((info->options & IPT_IPV4OPTION_MATCH_SSRR) == IPT_IPV4OPTION_MATCH_SSRR) ||
+ ((info->options & IPT_IPV4OPTION_MATCH_LSRR) == IPT_IPV4OPTION_MATCH_LSRR)) &&
+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_SRR) == IPT_IPV4OPTION_DONT_MATCH_SRR))
+ return 0; /* opposites */
+ if (((info->options & IPT_IPV4OPTION_MATCH_RR) == IPT_IPV4OPTION_MATCH_RR) &&
+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_RR) == IPT_IPV4OPTION_DONT_MATCH_RR))
+ return 0; /* opposites */
+ if (((info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP) == IPT_IPV4OPTION_MATCH_TIMESTAMP) &&
+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) == IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
+ return 0; /* opposites */
+ if (((info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_MATCH_ROUTER_ALERT) &&
+ ((info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT) == IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
+ return 0; /* opposites */
+
+ /* everything looks ok. */
+ return 1;
+}
+
+static struct ipt_match ipv4options_match = {
+ .name = "ipv4options",
+ .match = match,
+ .checkentry = checkentry,
+ .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+ return ipt_register_match(&ipv4options_match);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_match(&ipv4options_match);
+}
+
+module_init(init);
+module_exit(fini);
Modified: netfilter-2.6/patch-o-matic-ng/trunk/status
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/status (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/status Thu Jul 28 10:15:49 2005
@@ -18,8 +18,8 @@
ipp2p added+updated (v0.7.4)
ip_queue_vmark added
iprange updated
-ipv4options added
-IPV4OPTSSTRIP added
+ipv4options 2005/07/27 added
+IPV4OPTSSTRIP 2005/07/27 added
layer7 added (v1.2)
mms-conntrack-nat 2005/07/27 updated
NETMAP updated
More information about the pld-cvs-commit
mailing list