Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4 options

2019-06-19 Thread Pablo Neira Ayuso
On Wed, Jun 19, 2019 at 01:58:02PM -0400, Stephen Suryaputra wrote: > On Wed, Jun 19, 2019 at 07:18:32PM +0200, Pablo Neira Ayuso wrote: > > > > Rules with this options will load fine: > > > > ip option eol type 1 > > ip option noop type 1 > > ip option sec type 1 > > ip option timestamp type 1 >

Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4 options

2019-06-19 Thread Stephen Suryaputra
On Wed, Jun 19, 2019 at 07:18:32PM +0200, Pablo Neira Ayuso wrote: > > Rules with this options will load fine: > > ip option eol type 1 > ip option noop type 1 > ip option sec type 1 > ip option timestamp type 1 > ip option rr type 1 > ip option sid type 1 > > However, they will not ever match I

Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4 options

2019-06-19 Thread Pablo Neira Ayuso
On Tue, Jun 11, 2019 at 08:09:12AM -0400, Stephen Suryaputra wrote: [...] > diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c > index a940c9fd9045..4155a32fade7 100644 > --- a/net/netfilter/nft_exthdr.c > +++ b/net/netfilter/nft_exthdr.c [...] > +static int ipv4_find_option(struc

Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4 options

2019-06-19 Thread Pablo Neira Ayuso
On Tue, Jun 18, 2019 at 10:13:55AM -0400, Stephen Suryaputra wrote: > On Tue, Jun 18, 2019 at 05:31:12PM +0200, Pablo Neira Ayuso wrote: > > > +{ > > > + unsigned char optbuf[sizeof(struct ip_options) + 41]; > > > > In other parts of the kernel this is + 40: > > > > net/ipv4/cipso_ipv4.c: unsign

Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4 options

2019-06-18 Thread Stephen Suryaputra
On Tue, Jun 18, 2019 at 05:31:12PM +0200, Pablo Neira Ayuso wrote: > > +{ > > + unsigned char optbuf[sizeof(struct ip_options) + 41]; > > In other parts of the kernel this is + 40: > > net/ipv4/cipso_ipv4.c: unsigned char optbuf[sizeof(struct ip_options) + 40]; > > here it is + 41. > > ... >

Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4 options

2019-06-18 Thread Pablo Neira Ayuso
On Tue, Jun 11, 2019 at 08:09:12AM -0400, Stephen Suryaputra wrote: [...] > diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c > index a940c9fd9045..4155a32fade7 100644 > --- a/net/netfilter/nft_exthdr.c > +++ b/net/netfilter/nft_exthdr.c > @@ -62,6 +62,125 @@ static void nft_exth

[PATCH RESEND nf-next] netfilter: add support for matching IPv4 options

2019-06-11 Thread Stephen Suryaputra
This is the kernel change for the overall changes with this description: Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Nevertheless, the implementation include others and ability to