On Sun, Jun 09, 2013 at 11:59:48PM -0400, Phil Oester wrote:
> In commit bc6bcb59 ("netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond
> packet boundary"), a check for short TCP header or malformed packet was added.
> This check is unnecessary, as these packets are already handled in the tcp_error
> function of nf_conntrack_proto_tcp.c (see /* Not whole TCP header or malformed
> packet */).
We cannot assume nf_conntrack is loaded. We have to support stateless
setups as well.
> In addition, there was an error in the check which was added (len
> is being calculated incorrectly). In my testing, ALL packets are being dropped
> by the TCPOPTSTRIP target at present. Revert the unnecessary/incorrect checks.
Then, we have to fix the wrong calculation. I cannot reproduce this
here.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
