summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2012-09-24 14:52:12 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2012-09-24 15:10:29 +0200
commit6ee584be3ee30f72dec8a8ca87bc10824e27a631 (patch)
tree23306d3404c684e05bf537c9d4df7df572663509 /include
parentba8d3b0bf5900b9ee5354e7d73358867763a6766 (diff)
downloadop-kernel-dev-6ee584be3ee30f72dec8a8ca87bc10824e27a631.zip
op-kernel-dev-6ee584be3ee30f72dec8a8ca87bc10824e27a631.tar.gz
netfilter: nfnetlink_queue: add NFQA_CAP_LEN attribute
This patch adds the NFQA_CAP_LEN attribute that allows us to know what is the real packet size from user-space (even if we decided to retrieve just a few bytes from the packet instead of all of it). Security software that inspects packets should always check for this new attribute to make sure that it is inspecting the entire packet. This also helps to provide a workaround for the problem described in: http://marc.info/?l=netfilter-devel&m=134519473212536&w=2 Original idea from Florian Westphal. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter/nfnetlink_queue.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index 3b1c136..70ec8c2 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -44,6 +44,7 @@ enum nfqnl_attr_type {
NFQA_PAYLOAD, /* opaque data payload */
NFQA_CT, /* nf_conntrack_netlink.h */
NFQA_CT_INFO, /* enum ip_conntrack_info */
+ NFQA_CAP_LEN, /* __u32 length of captured packet */
__NFQA_MAX
};
OpenPOWER on IntegriCloud