diff options
author | Stephen Suryaputra <ssuryaextr@gmail.com> | 2019-07-03 20:30:52 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-07-04 14:29:08 +0200 |
commit | 226a0e072d5c1edeb53cb61b959b011168c5c29a (patch) | |
tree | 07e43268efe15dc8b64b8ca9baca71e02239213f /include | |
parent | 1694c01c30fba06461ca82ede070bf6a9cd9a4db (diff) |
exthdr: add support for matching IPv4 options
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/Makefile.am | 1 | ||||
-rw-r--r-- | include/exthdr.h | 1 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 2 |
3 files changed, 4 insertions, 0 deletions
diff --git a/include/Makefile.am b/include/Makefile.am index 2d77a768..04a4a619 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -7,6 +7,7 @@ noinst_HEADERS = cli.h \ expression.h \ fib.h \ hash.h \ + ipopt.h \ json.h \ mini-gmp.h \ gmputil.h \ diff --git a/include/exthdr.h b/include/exthdr.h index 32f99c9c..3959a65c 100644 --- a/include/exthdr.h +++ b/include/exthdr.h @@ -3,6 +3,7 @@ #include <proto.h> #include <tcpopt.h> +#include <ipopt.h> /** * struct exthdr_desc - extension header description diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 7bdb234f..393bcb56 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -730,10 +730,12 @@ enum nft_exthdr_flags { * * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers * @NFT_EXTHDR_OP_TCP: match against tcp options + * @NFT_EXTHDR_OP_IPV4: match against ip options */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, + NFT_EXTHDR_OP_IPV4, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) |