On Mon, Nov 04, 2013 at 04:36:20PM +0000, James Chapman wrote: > Introduce an xtables add-on for matching L2TP packets. Supports L2TPv2 > and L2TPv3 over IPv4 and IPv6. As well as filtering on L2TP tunnel-id > and session-id, the filtering decision can also include the L2TP > packet type (control or data), protocol version (2 or 3) and > encapsulation type (UDP or IP). > > The most common use for this will likely be to filter L2TP data > packets of individual L2TP tunnels or sessions. While a u32 match can > be used, the L2TP protocol headers are such that field offsets differ > depending on bits set in the header, making rules for matching generic > L2TP connections cumbersome. This match extension takes care of all > that. > > +enum { > + XT_L2TP_TID = (1 << 0), /* match L2TP tunnel id */ > + XT_L2TP_SID = (1 << 1), /* match L2TP session id */ > + XT_L2TP_VERSION = (1 << 2), /* match L2TP protocol version */ > + XT_L2TP_ENCAP = (1 << 3), /* match L2TP encapsulation type */ > + XT_L2TP_TYPE = (1 << 4), /* match L2TP packet type */ > +}; > + > +static struct xt_match l2tp_mt_reg[] __read_mostly = { > + { > + .name = "l2tp", > + .revision = 0, > + .family = NFPROTO_IPV4, > + .match = l2tp_mt4, > + .matchsize = XT_ALIGN(sizeof(struct xt_l2tp_info)), > + .hooks = ((1 << NF_INET_PRE_ROUTING) | > + (1 << NF_INET_LOCAL_IN) | > + (1 << NF_INET_LOCAL_OUT) | > + (1 << NF_INET_FORWARD)), > + .me = THIS_MODULE, > + }, Plase add a checkentry function and verify that no unknown flags are passed to the kernel. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html