netfilter: add IPv4/6 IPComp extension match support

With this plugin, user could specify IPComp tagged with certain CPI that host not interested will be DROPped or any other action. For example: iptables -A INPUT -p 108 -m ipcomp --ipcompspi 0x87 -j DROP ip6tables -A INPUT -p 108 -m ipcomp --ipcompspi 0x87 -j DROP Then input IPComp packet with CPI equates 0x87 will not reach upper layer anymore. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: fan.du <fan.du@windriver.com> 2013-12-18 11:27:02 +0800
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-12-24 12:37:58 +0100
commit: 6a649f339802f104549e1fb211e381036661e244 (patch)
tree: 673fd543f147e890e2cd34deceaa70606ff83054 /net/netfilter/Kconfig
parent: 08c0cad69f32ad1e881fa3fb7f5e0a25db5b07ce (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index c3398cd99b94..6d8e48b376fc 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1035,6 +1035,15 @@ config NETFILTER_XT_MATCH_HL
 	in the IPv6 header, or the time-to-live field in the IPv4
 	header of the packet.
 
+config NETFILTER_XT_MATCH_IPCOMP
+	tristate '"ipcomp" match support'
+	depends on NETFILTER_ADVANCED
+	help
+	  This match extension allows you to match a range of CPIs(16 bits)
+	  inside IPComp header of IPSec packets.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_IPRANGE
 	tristate '"iprange" address range match support'
 	depends on NETFILTER_ADVANCED
author	fan.du <fan.du@windriver.com>	2013-12-18 11:27:02 +0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-12-24 12:37:58 +0100
commit	6a649f339802f104549e1fb211e381036661e244 (patch)
tree	673fd543f147e890e2cd34deceaa70606ff83054 /net/netfilter/Kconfig
parent	08c0cad69f32ad1e881fa3fb7f5e0a25db5b07ce (diff)