netfilter: nft_exthdr: add boolean DCCP option matching

[ Upstream commit b9f9a485fb ] The xt_dccp iptables module supports the matching of DCCP packets based on the presence or absence of DCCP options. Extend nft_exthdr to add this functionality to nftables. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=930 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de> Stable-dep-of: 63331e37fb ("netfilter: nf_tables: fix 'exist' matching on bigendian arches") Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-05-09 22:19:45 +01:00 · 2023-05-09 22:19:45 +01:00 · 0bfbfd9423
commit 0bfbfd9423
parent 9225a4566b
2 changed files with 108 additions and 0 deletions
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@ -816,12 +816,14 @@ enum nft_exthdr_flags {
 * @NFT_EXTHDR_OP_TCP: match against tcp options
 * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
 * @NFT_EXTHDR_OP_SCTP: match against sctp chunks
+ * @NFT_EXTHDR_OP_DCCP: match against dccp otions
 */
 enum nft_exthdr_op {
 	NFT_EXTHDR_OP_IPV6,
 	NFT_EXTHDR_OP_TCPOPT,
 	NFT_EXTHDR_OP_IPV4,
 	NFT_EXTHDR_OP_SCTP,
+	NFT_EXTHDR_OP_DCCP,
 	__NFT_EXTHDR_OP_MAX
 };
 #define NFT_EXTHDR_OP_MAX	(__NFT_EXTHDR_OP_MAX - 1)