diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-09-24 14:52:12 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-09-24 15:10:29 +0200 |
| commit | 6ee584be3ee30f72dec8a8ca87bc10824e27a631 (patch) | |
| tree | 23306d3404c684e05bf537c9d4df7df572663509 /include/linux/netfilter | |
| parent | ba8d3b0bf5900b9ee5354e7d73358867763a6766 (diff) | |
netfilter: nfnetlink_queue: add NFQA_CAP_LEN attribute
This patch adds the NFQA_CAP_LEN attribute that allows us to know
what is the real packet size from user-space (even if we decided
to retrieve just a few bytes from the packet instead of all of it).
Security software that inspects packets should always check for
this new attribute to make sure that it is inspecting the entire
packet.
This also helps to provide a workaround for the problem described
in: http://marc.info/?l=netfilter-devel&m=134519473212536&w=2
Original idea from Florian Westphal.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/linux/netfilter')
| -rw-r--r-- | include/linux/netfilter/nfnetlink_queue.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h index 3b1c1360aedf..70ec8c2bc11a 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/linux/netfilter/nfnetlink_queue.h @@ -44,6 +44,7 @@ enum nfqnl_attr_type { NFQA_PAYLOAD, /* opaque data payload */ NFQA_CT, /* nf_conntrack_netlink.h */ NFQA_CT_INFO, /* enum ip_conntrack_info */ + NFQA_CAP_LEN, /* __u32 length of captured packet */ __NFQA_MAX }; |