On 02.03, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > 2) TCPMSS. Relax the checking when used from nft_compat and make sure > > that we skip !syn packets in case userspace provides a wrong > > configuration. > > diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c > > index e762de5..3b9761f 100644 > > --- a/net/netfilter/xt_TCPMSS.c > > +++ b/net/netfilter/xt_TCPMSS.c > > @@ -97,6 +97,9 @@ tcpmss_mangle_packet(struct sk_buff *skb, > > if (!skb_make_writable(skb, skb->len)) > > return -1; > > > > + if (unlikely(!tcph->syn)) > > + return 0; > > + > > len = skb->len - tcphoff; > > Applying this to my copy of nf-next would insert this test before > tcph is set up. I actually don't think the test is necessary at all. Since we don't check the protocol with nft, any packet with that bit set will pass. It will most likely fail or corrupt the packet, but why should we care? It won't crash and with nft its the responsibility of userspace to take care of using the extension correctly. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html