netfilter: add IPv4/6 IPComp extension match support
With this plugin, user could specify IPComp tagged with certain CPI that host not interested will be DROPped or any other action. For example: iptables -A INPUT -p 108 -m ipcomp --ipcompspi 0x87 -j DROP ip6tables -A INPUT -p 108 -m ipcomp --ipcompspi 0x87 -j DROP Then input IPComp packet with CPI equates 0x87 will not reach upper layer anymore. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
fan.du
Pablo Neira Ayuso
parent
08c0cad69f
commit
6a649f3398
5 changed files with 138 additions and 0 deletions
|
|
@ -54,6 +54,7 @@ header-y += xt_ecn.h
|
|||
header-y += xt_esp.h
|
||||
header-y += xt_hashlimit.h
|
||||
header-y += xt_helper.h
|
||||
header-y += xt_ipcomp.h
|
||||
header-y += xt_iprange.h
|
||||
header-y += xt_ipvs.h
|
||||
header-y += xt_length.h
|
||||
|
|
|
|||
16
include/uapi/linux/netfilter/xt_ipcomp.h
Normal file
16
include/uapi/linux/netfilter/xt_ipcomp.h
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
#ifndef _XT_IPCOMP_H
|
||||
#define _XT_IPCOMP_H
|
||||
|
||||
#include <linux/types.h>
|
||||
|
||||
struct xt_ipcomp {
|
||||
__u32 spis[2]; /* Security Parameter Index */
|
||||
__u8 invflags; /* Inverse flags */
|
||||
__u8 hdrres; /* Test of the Reserved Filed */
|
||||
};
|
||||
|
||||
/* Values for "invflags" field in struct xt_ipcomp. */
|
||||
#define XT_IPCOMP_INV_SPI 0x01 /* Invert the sense of spi. */
|
||||
#define XT_IPCOMP_INV_MASK 0x01 /* All possible flags. */
|
||||
|
||||
#endif /*_XT_IPCOMP_H*/
|
||||
Loading…
Add table
Add a link
Reference in a new issue