Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > 2) TCPMSS. Relax the checking when used from nft_compat and make sure > that we skip !syn packets in case userspace provides a wrong > configuration. > diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c > index e762de5..3b9761f 100644 > --- a/net/netfilter/xt_TCPMSS.c > +++ b/net/netfilter/xt_TCPMSS.c > @@ -97,6 +97,9 @@ tcpmss_mangle_packet(struct sk_buff *skb, > if (!skb_make_writable(skb, skb->len)) > return -1; > > + if (unlikely(!tcph->syn)) > + return 0; > + > len = skb->len - tcphoff; Applying this to my copy of nf-next would insert this test before tcph is set up. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
