On Wed, Jun 19, 2019 at 01:58:02PM -0400, Stephen Suryaputra wrote: > On Wed, Jun 19, 2019 at 07:18:32PM +0200, Pablo Neira Ayuso wrote: > > > > Rules with this options will load fine: > > > > ip option eol type 1 > > ip option noop type 1 > > ip option sec type 1 > > ip option timestamp type 1 > > ip option rr type 1 > > ip option sid type 1 > > > > However, they will not ever match I think. > > > > found is set to true, but target is set to EOPNOTSUPP, then... > > > > [...] > > > + err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type, NULL, NULL); > > > > ... ipv4_find_option() returns -EOPNOTSUPP which says header does > > not exist. > > > Yes. My goal in writing this is mainly to block loose and/or strict > source routing. The system also will need to block RA and RR. Others are > not fully supported since we (my employer) don't need it. They can be > added later on if desired... OK, that's fine. Then I'd suggest you remove support from eol, noop, sec, timestamp and sid from the userspace patches. Thanks!
