diff options
author | Phil Sutter <phil@nwl.cc> | 2017-02-20 17:52:27 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-03-06 17:52:56 +0100 |
commit | 3c1fece8819ed25257461b71e7c75a1f33eaa61d (patch) | |
tree | 402661ad234dfb079d3ca61e66e2bd18bad1e167 | |
parent | 8d70eeb84ab277377c017af6a21d0a337025dede (diff) | |
download | linux-stable-3c1fece8819ed25257461b71e7c75a1f33eaa61d.tar.gz linux-stable-3c1fece8819ed25257461b71e7c75a1f33eaa61d.tar.bz2 linux-stable-3c1fece8819ed25257461b71e7c75a1f33eaa61d.zip |
netfilter: nft_exthdr: Allow checking TCP option presence, too
Honor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is
present.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | net/netfilter/nft_exthdr.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index c308920b194c..d212a85d2f33 100644 --- a/net/netfilter/nft_exthdr.c +++ b/net/netfilter/nft_exthdr.c @@ -98,14 +98,21 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, goto err; offset = i + priv->offset; - dest[priv->len / NFT_REG32_SIZE] = 0; - memcpy(dest, opt + offset, priv->len); + if (priv->flags & NFT_EXTHDR_F_PRESENT) { + *dest = 1; + } else { + dest[priv->len / NFT_REG32_SIZE] = 0; + memcpy(dest, opt + offset, priv->len); + } return; } err: - regs->verdict.code = NFT_BREAK; + if (priv->flags & NFT_EXTHDR_F_PRESENT) + *dest = 0; + else + regs->verdict.code = NFT_BREAK; } static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = { |