From: Stephen Suryaputra <ssuryaextr@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH RESEND nf-next] netfilter: add support for matching IPv4 options
Date: Tue, 18 Jun 2019 10:13:55 -0400 [thread overview]
Message-ID: <20190618141355.GA5642@ubuntu> (raw)
In-Reply-To: <20190618153112.jwomdzit6mdawssi@salvia>
On Tue, Jun 18, 2019 at 05:31:12PM +0200, Pablo Neira Ayuso wrote:
> > +{
> > + unsigned char optbuf[sizeof(struct ip_options) + 41];
>
> In other parts of the kernel this is + 40:
>
> net/ipv4/cipso_ipv4.c: unsigned char optbuf[sizeof(struct ip_options) + 40];
>
> here it is + 41.
>
> ...
>
> > + /* Copy the options since __ip_options_compile() modifies
> > + * the options. Get one byte beyond the option for target < 0
>
> How does this "one byte beyond the option" trick works?
I used ipv6_find_hdr() as a reference. There if target is set to less
than 0, then the offset points to the byte beyond the extension header.
In this function, it points to the byte beyond the option. I wanted to
be as close as a working code as possible. Also, why +41 instead of +40.
> > + if (opt->end) {
> > + *offset = opt->end + start;
> > + target = IPOPT_END;
>
> May I ask, what's the purpose of IPOPT_END? :-)
My understanding is that in ipv6_find_hdr() if the nexthdr is
NEXTHDR_NONE, then that's the one being returned. The same here: target
is the return value.
> Apart from the above, this looks good to me.
AOK for other comments. I can spin another version.
Thank you,
Stephen.
next prev parent reply other threads:[~2019-06-18 18:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-11 12:09 [PATCH RESEND nf-next] netfilter: add support for matching IPv4 options Stephen Suryaputra
2019-06-18 15:31 ` Pablo Neira Ayuso
2019-06-18 14:13 ` Stephen Suryaputra [this message]
2019-06-19 16:50 ` Pablo Neira Ayuso
2019-06-19 17:18 ` Pablo Neira Ayuso
2019-06-19 17:58 ` Stephen Suryaputra
2019-06-19 18:00 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190618141355.GA5642@ubuntu \
--to=ssuryaextr@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).