Commit 3c1fece8 authored by Phil Sutter's avatar Phil Sutter Committed by Pablo Neira Ayuso

netfilter: nft_exthdr: Allow checking TCP option presence, too

Honor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is
present.
Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 8d70eeb8
...@@ -98,14 +98,21 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, ...@@ -98,14 +98,21 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
goto err; goto err;
offset = i + priv->offset; offset = i + priv->offset;
dest[priv->len / NFT_REG32_SIZE] = 0; if (priv->flags & NFT_EXTHDR_F_PRESENT) {
memcpy(dest, opt + offset, priv->len); *dest = 1;
} else {
dest[priv->len / NFT_REG32_SIZE] = 0;
memcpy(dest, opt + offset, priv->len);
}
return; return;
} }
err: err:
regs->verdict.code = NFT_BREAK; if (priv->flags & NFT_EXTHDR_F_PRESENT)
*dest = 0;
else
regs->verdict.code = NFT_BREAK;
} }
static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = { static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment