exthdr: add support for matching IPv4 options

Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Stephen Suryaputra <ssuryaextr@gmail.com> 2019-07-03 20:30:52 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-07-04 14:29:08 +0200
commit: 226a0e072d5c1edeb53cb61b959b011168c5c29a (patch)
tree: 07e43268efe15dc8b64b8ca9baca71e02239213f /src/evaluate.c
parent: 1694c01c30fba06461ca82ede070bf6a9cd9a4db (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 19c2d4c6..8086f750 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -513,6 +513,20 @@ static int __expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **exprp)
 					  totlen, max_tcpoptlen);
 		break;
 	}
+	case NFT_EXTHDR_OP_IPV4: {
+		static const unsigned int max_ipoptlen = 40 * BITS_PER_BYTE;
+		unsigned int totlen = 0;
+
+		totlen += expr->exthdr.tmpl->offset;
+		totlen += expr->exthdr.tmpl->len;
+		totlen += expr->exthdr.offset;
+
+		if (totlen > max_ipoptlen)
+			return expr_error(ctx->msgs, expr,
+					  "offset and size %u exceeds max ip option len (%u)",
+					  totlen, max_ipoptlen);
+		break;
+	}
 	default:
 		break;
 	}
@@ -537,6 +551,9 @@ static int expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **exprp)
 		dependency = &proto_tcp;
 		pb = PROTO_BASE_TRANSPORT_HDR;
 		break;
+	case NFT_EXTHDR_OP_IPV4:
+		dependency = &proto_ip;
+		break;
 	case NFT_EXTHDR_OP_IPV6:
 	default:
 		dependency = &proto_ip6;
author	Stephen Suryaputra <ssuryaextr@gmail.com>	2019-07-03 20:30:52 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-07-04 14:29:08 +0200
commit	226a0e072d5c1edeb53cb61b959b011168c5c29a (patch)
tree	07e43268efe15dc8b64b8ca9baca71e02239213f /src/evaluate.c
parent	1694c01c30fba06461ca82ede070bf6a9cd9a4db (diff)