If the netfilter can't get L4 header, the netfilter
marks hotdrop value. then {ip, ip6, arp, eb}t_do_table() drops
that packet immediately. but xt_ecn doesn't mark hotdrop value.
Signed-off-by: Taehee Yoo <ap420073@xxxxxxxxx>
---
net/netfilter/xt_ecn.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
index 3c831a8..c58db1d 100644
--- a/net/netfilter/xt_ecn.c
+++ b/net/netfilter/xt_ecn.c
@@ -37,8 +37,10 @@ static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)
* be good citizens.
*/
th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
- if (th == NULL)
+ if (!th) {
+ par->hotdrop = true;
return false;
+ }
if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
if (einfo->invert & XT_ECN_OP_MATCH_ECE) {
--
2.9.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
