Herbert Xu wrote:
Patrick, please have a look at the former. In fact it's not just that ihl may be bogus (which might be harmless as long as the REJECT hook only gets called from within the IP stack), I think REJECT would also do the wrong thing if the packet had IP options. So perhaps we should just make it create a packet from scratch rather than being too clever in reusing the old one.
We currently silently drop packets with IP options in the reject target. The length check should be fine since its only called through the IP stack or bridge netfilter, which replicates the IP stack checks. But I agree to your suggestion, that will allow us to properly handle packets with IP options. I'll take care of this. - To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
