netfilter: nfnetlink_queue: add NFQA_CAP_LEN attribute

This patch adds the NFQA_CAP_LEN attribute that allows us to know what is the real packet size from user-space (even if we decided to retrieve just a few bytes from the packet instead of all of it). Security software that inspects packets should always check for this new attribute to make sure that it is inspecting the entire packet. This also helps to provide a workaround for the problem described in: http://marc.info/?l=netfilter-devel&m=134519473212536&w=2 Original idea from Florian Westphal. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-24 12:52:12 (GMT)
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-24 13:10:29 (GMT)
commit: 6ee584be3ee30f72dec8a8ca87bc10824e27a631 (patch)
tree: 23306d3404c684e05bf537c9d4df7df572663509 /include/linux/netfilter
parent: ba8d3b0bf5900b9ee5354e7d73358867763a6766 (diff)
download: linux-fsl-qoriq-6ee584be3ee30f72dec8a8ca87bc10824e27a631.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index 3b1c136..70ec8c2 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -44,6 +44,7 @@ enum nfqnl_attr_type {
 	NFQA_PAYLOAD,			/* opaque data payload */
 	NFQA_CT,			/* nf_conntrack_netlink.h */
 	NFQA_CT_INFO,			/* enum ip_conntrack_info */
+	NFQA_CAP_LEN,			/* __u32 length of captured packet */
 
 	__NFQA_MAX
 };
author	Pablo Neira Ayuso <pablo@netfilter.org>	2012-09-24 12:52:12 (GMT)
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-09-24 13:10:29 (GMT)
commit	6ee584be3ee30f72dec8a8ca87bc10824e27a631 (patch)
tree	23306d3404c684e05bf537c9d4df7df572663509 /include/linux/netfilter
parent	ba8d3b0bf5900b9ee5354e7d73358867763a6766 (diff)
download	linux-fsl-qoriq-6ee584be3ee30f72dec8a8ca87bc10824e27a631.tar.xz