On Wed, Jun 19, 2019 at 07:18:32PM +0200, Pablo Neira Ayuso wrote: > > Rules with this options will load fine: > > ip option eol type 1 > ip option noop type 1 > ip option sec type 1 > ip option timestamp type 1 > ip option rr type 1 > ip option sid type 1 > > However, they will not ever match I think. > > found is set to true, but target is set to EOPNOTSUPP, then... > > [...] > > + err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type, NULL, NULL); > > ... ipv4_find_option() returns -EOPNOTSUPP which says header does > not exist. > Yes. My goal in writing this is mainly to block loose and/or strict source routing. The system also will need to block RA and RR. Others are not fully supported since we (my employer) don't need it. They can be added later on if desired...
