Re: [PATCH nf-next] netfilter: add support for matching IPv4 options

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Jun 01, 2019 at 10:27:32AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > »       iph = skb_header_pointer(skb, *offset, sizeof(_iph), &_iph);
> > > »       if (!iph || skb->protocol != htons(ETH_P_IP))
> > > »       »       return -EBADMSG;
> > 
> > I mean, you make this check upfront from the _eval() path, ie.
> > 
> > static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
> >                                  ...
> > {
> >         ...
> > 
> >         if (skb->protocol != htons(ETH_P_IP))
> >                 goto err;
> 
> Wouldn't it be preferable to just use nft_pf() != NFPROTO_IPV4?

Then IPv4 options extension won't work from bridge and netdev families
too, right?
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux