Consider TCP/IPv4 packet with IP options:
sizeof(*iph) + sizeof(struct tcphdr) is not enough to include tcp checksum.
It may hurt if this packet is fragmented.
Therefore we should use iph->ihl * 4 instead of sizeof(*iph).
Signed-off-by: Dmitry Popov <dp@xxxxxxxxxxxxxxx>
---
extensions/xt_RAWNAT.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/xt_RAWNAT.c b/extensions/xt_RAWNAT.c
index a52e614..858f911 100644
--- a/extensions/xt_RAWNAT.c
+++ b/extensions/xt_RAWNAT.c
@@ -109,7 +109,7 @@ static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
static unsigned int rawnat4_writable_part(const struct iphdr *iph)
{
- unsigned int wlen = sizeof(*iph);
+ unsigned int wlen = iph->ihl * 4;
switch (iph->protocol) {
case IPPROTO_TCP:
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
