Re: [PATCH nf-next] netfilter: x_tables: add context to know if extension runs from nft_compat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02.03, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > 2) TCPMSS. Relax the checking when used from nft_compat and make sure
> >    that we skip !syn packets in case userspace provides a wrong
> >    configuration.
> > diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
> > index e762de5..3b9761f 100644
> > --- a/net/netfilter/xt_TCPMSS.c
> > +++ b/net/netfilter/xt_TCPMSS.c
> > @@ -97,6 +97,9 @@ tcpmss_mangle_packet(struct sk_buff *skb,
> >  	if (!skb_make_writable(skb, skb->len))
> >  		return -1;
> >  
> > +	if (unlikely(!tcph->syn))
> > +		return 0;
> > +
> >  	len = skb->len - tcphoff;
> 
> Applying this to my copy of nf-next would insert this test before
> tcph is set up.

I actually don't think the test is necessary at all. Since we
don't check the protocol with nft, any packet with that bit set
will pass. It will most likely fail or corrupt the packet, but
why should we care? It won't crash and with nft its the
responsibility of userspace to take care of using the extension
correctly.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux