In iptables-extension man page, it says length module matches the payload of L3. but xt_length.c matches the total length of IPv4/v6 packet. https://github.com/torvalds/linux/blob/4f671fe2f9523a1ea206f63fe60a7c7b3a56d5c7/net/netfilter/xt_length.c#L27 > u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); http://git.netfilter.org/iptables/tree/extensions/libxt_length.man > This module matches the length of the layer-3 payload (e.g. layer-4 packet) should have been, perhaps, > This module matches the length of the layer-3 packet (e.g. layer-2 payload) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
