netfilter: nft_exthdr: Allow checking TCP option presence, too
authorPhil Sutter <phil@nwl.cc>
Mon, 20 Feb 2017 16:52:27 +0000 (17:52 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 6 Mar 2017 16:52:56 +0000 (17:52 +0100)
Honor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is
present.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_exthdr.c

index c308920b194cdbe5e3a2e9a09cfb8aab7267f588..d212a85d2f3336e1b1a393c5ac4bf4fc8f1eebca 100644 (file)
@@ -98,14 +98,21 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
                        goto err;
 
                offset = i + priv->offset;
-               dest[priv->len / NFT_REG32_SIZE] = 0;
-               memcpy(dest, opt + offset, priv->len);
+               if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+                       *dest = 1;
+               } else {
+                       dest[priv->len / NFT_REG32_SIZE] = 0;
+                       memcpy(dest, opt + offset, priv->len);
+               }
 
                return;
        }
 
 err:
-       regs->verdict.code = NFT_BREAK;
+       if (priv->flags & NFT_EXTHDR_F_PRESENT)
+               *dest = 0;
+       else
+               regs->verdict.code = NFT_BREAK;
 }
 
 static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {