diff options
author | Stephen Suryaputra <ssuryaextr@gmail.com> | 2019-07-03 20:30:52 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-07-04 14:29:08 +0200 |
commit | 226a0e072d5c1edeb53cb61b959b011168c5c29a (patch) | |
tree | 07e43268efe15dc8b64b8ca9baca71e02239213f /src/evaluate.c | |
parent | 1694c01c30fba06461ca82ede070bf6a9cd9a4db (diff) |
exthdr: add support for matching IPv4 options
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 19c2d4c6..8086f750 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -513,6 +513,20 @@ static int __expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **exprp) totlen, max_tcpoptlen); break; } + case NFT_EXTHDR_OP_IPV4: { + static const unsigned int max_ipoptlen = 40 * BITS_PER_BYTE; + unsigned int totlen = 0; + + totlen += expr->exthdr.tmpl->offset; + totlen += expr->exthdr.tmpl->len; + totlen += expr->exthdr.offset; + + if (totlen > max_ipoptlen) + return expr_error(ctx->msgs, expr, + "offset and size %u exceeds max ip option len (%u)", + totlen, max_ipoptlen); + break; + } default: break; } @@ -537,6 +551,9 @@ static int expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **exprp) dependency = &proto_tcp; pb = PROTO_BASE_TRANSPORT_HDR; break; + case NFT_EXTHDR_OP_IPV4: + dependency = &proto_ip; + break; case NFT_EXTHDR_OP_IPV6: default: dependency = &proto_ip6; |