On 2 March 2015 at 16:46, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > Currently, we have four xtables extensions that cannot be used from the > xt over nft compat layer. The problem is that they need real access to > the full blown xt_entry to validate that the rule comes with the right > dependencies. This check was introduced to overcome the lack of > sufficient userspace dependency validation in iptables. > > To resolve this problem, this patch introduces a new field to the > xt_tgchk_param structure that tell us if the extension is run from > nft_compat context. > > The four affected extensions are: > > 1) CLUSTERIP, this target has been superseded by xt_cluster. So just > bail out by returning -EINVAL. > > 2) TCPMSS. Relax the checking when used from nft_compat. If used with > the wrong configuration, it will corrupt !syn packets by adding TCP > MSS option. > > 3) SYNPROXY6. Don't check for e->ipv6.flags if used from nft_compat. > > 4) ebt_stp. Relax the check to make sure it uses the reserved > destination MAC address for STP. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
