One would expect nfq_udp_mangle_ipv4() to take care of the length field in the UDP header but it did not. With this patch, it does. This patch is very unlikely to adversely affect any existing userspace software (that did its own length adjustment), because UDP checksumming was broken --- src/extra/udp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/extra/udp.c b/src/extra/udp.c index 8c44a66..6836230 100644 --- a/src/extra/udp.c +++ b/src/extra/udp.c @@ -140,6 +140,8 @@ nfq_udp_mangle_ipv4(struct pkt_buff *pkt, iph = (struct iphdr *)pkt->network_header; udph = (struct udphdr *)(pkt->network_header + iph->ihl*4); + udph->len = htons(ntohs(udph->len) + rep_len - match_len); + if (!nfq_ip_mangle(pkt, iph->ihl*4 + sizeof(struct udphdr), match_offset, match_len, rep_buffer, rep_len)) return 0; -- 2.14.5