On 20/05/14 02:39, Florian Westphal wrote:
From a quick glance, it should be sufficient to edit br_parse_ip_options() and remove everything after memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
Yes. That's the way it used to be, and how it would return with the change I'm proposing. The br_parse_ip_option function would be removed and its remaining code moved back from whence it came.
A 2nd step would be to move a copy of ip_options_compile() into br_netfilter.c and trim it down to only validate the ipv4 header without modifying it.
The bridge sounds like the wrong place to validate an IPv4 header, unless it also validates every type of header; and that can't be right. That we need to zero the cb area seems like a big clue that IP's treatment of the area is lame. I think that's where the problem lies, and that the right thing to do is to yank out the crap from bridge that papers over IP's weakness.
-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html