netfilter: nft_exthdr: Allow checking TCP option presence, too

Honor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is present. Signed-off-by: N Phil Sutter <phil@nwl.cc> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nft_exthdr: Allow checking TCP option presence, too
Honor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is present. Signed-off-by: N Phil Sutter <phil@nwl.cc> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
3c1fece8 · Phil Sutter · Pablo Neira Ayuso · 8d70eeb8 · 3c1fece8
隐藏空白更改
内联并排

Showing with 10 addition and 3 deletion

net/netfilter/nft_exthdr.c net/netfilter/nft_exthdr.c +10 -3

未找到文件。
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -98,14 +98,21 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
 			goto err;
 		offset = i + priv->offset;
-		dest[priv->len / NFT_REG32_SIZE] = 0;
+		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
-		memcpy(dest, opt + offset, priv->len);
+			*dest = 1;
+		} else {
+			dest[priv->len / NFT_REG32_SIZE] = 0;
+			memcpy(dest, opt + offset, priv->len);
+		}
 		return;
 	}
 err:
-	regs->verdict.code = NFT_BREAK;
+	if (priv->flags & NFT_EXTHDR_F_PRESENT)
+		*dest = 0;
+	else
+		regs->verdict.code = NFT_BREAK;
 }
 static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {