src: add support for matching IPv4 options

Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Stephen Suryaputra <ssuryaextr@gmail.com> 2019-06-20 07:54:29 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-07-04 14:24:54 +0200
commit: 60d9378df4e9c7324392e76b0408b6dda6e8bc1c (patch)
tree: 52f1ec3fe1347bff6efb7e70db5e3c3fc2471b78 /include/linux/netfilter/nf_tables.h
parent: 3587ad1e751576993b2d11391ee17b07b1d99075 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 38f74e4..5b1c380 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -729,10 +729,12 @@ enum nft_exthdr_flags {
  *
  * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers
  * @NFT_EXTHDR_OP_TCP: match against tcp options
+ * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
  */
 enum nft_exthdr_op {
 	NFT_EXTHDR_OP_IPV6,
 	NFT_EXTHDR_OP_TCPOPT,
+	NFT_EXTHDR_OP_IPV4,
 	__NFT_EXTHDR_OP_MAX
 };
 #define NFT_EXTHDR_OP_MAX	(__NFT_EXTHDR_OP_MAX - 1)
author	Stephen Suryaputra <ssuryaextr@gmail.com>	2019-06-20 07:54:29 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-07-04 14:24:54 +0200
commit	60d9378df4e9c7324392e76b0408b6dda6e8bc1c (patch)
tree	52f1ec3fe1347bff6efb7e70db5e3c3fc2471b78 /include/linux/netfilter/nf_tables.h
parent	3587ad1e751576993b2d11391ee17b07b1d99075 (diff)