|
About
Coreteam Contributors History License Thanks PGP key Projects iptables libnfnetlink libnetfilter_log libnetfilter_queue libnetfilter_conntrack conntrack-tools ipset nf-hipac patch-o-matic-ng base repository extra repository external repository ulogd Downloads git Repository ftp Server rsync Server News Moving to GIT 6th Netfilter Workshop libnfnetlink release conntrack-tools 0.9.6 release libnetfilter_conntrack release iptables-1.4.0 Michael Rash's book libnetfilter_conntrack release iptables-1.4.0rc1 security announces libnetfilter_queue release libnfnetlink release conntrack-tools-0.9.5 release libnetfilter_conntrack release conntrack-tools-0.9.4 release libnetfilter_conntrack release iptables-1.3.8 conntrack-tools release libnetfilter_conntrack release Netfilter Workshop new PGP key Pablo Neira Ayuso joins core team library releases iptables-1.3.7 iptables-1.3.6 iptables-1.3.5 ulogd-1.24 ulogd-2.00beta1 library releases iptables-1.3.4 Yasuyuki Kozakai joins core team planet.netfilter.org conntrack-0.81 iptables-1.3.3 Documentation FAQ HOWTOs Events Tutorials Various other docs Security Information Mailing Lists List Rules netfilter-announce list netfilter list netfilter-devel list netfilter-failover list Contact bugzilla coreteam webmaster imprint / postal address Supporting netfilter Licensing Events Links Mirrors About website |
netfilter/iptables - Patch-o-Matic Listing - baseIPV4OPTSSTRIP ipv4options set u32
This option adds CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP, which supplies a target module that will allow you to strip all the IP options from a packet. The target doesn't take any option, and therefore is extremly easy to use : # iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP # iptables -t mangle --list -n Chain PREROUTING (policy ACCEPT) target prot opt source destination IPV4OPTSSTRIP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination
This option adds an iptables 'ipv4options' match, which allows you to match on IPv4 header options like source routing, record route, timestamp and router-alert. Suppported options are: --ssrr To match packets with the flag strict source routing. --lsrr To match packets with the flag loose source routing. --no-srr To match packets with no flag for source routing. [!] --rr To match packets with the RR flag. [!] --ts To match packets with the TS flag. [!] --ra To match packets with the router-alert option. [!] --any-opt To match a packet with at least one IP option, or no IP option at all if ! is chosen. Example: $ iptables -A input -m ipv4options --rr -j DROP will drop packets with the record-route flag. $ iptables -A input -m ipv4options --ts -j DROP will drop packets with the timestamp flag.
This adds CONFIG_IP_NF_SET, which provides a match which lets you use IP sets; the match depends on whether a checked source or destination address/network address/port has its bit set in/added to the given set. It also provides a SET target, which can be used to add or remove the addresses/ports of a packet to/from a set. The currently supported types of the sets are: ipmap, macipmap, portmap, iphash, nethash, ipporthash and iptree. It is possible to chain sets together by binding. The userspace program ipset(8) is required to define and setup IP sets.
U32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Details and examples are in the kernel module source.
|
