Message ID | 20130505220504.1a3f2380a1e798b37e628dd1@highloadlab.com |
---|---|
State | Not Applicable |
Headers | show |
Also, shouldn't xt_RAWNAT depend on nf_defrag_ipv4 module? xt_RAWNAT may work with ip fragments in PREROUTING chain, changing ip payload (believing it's tcp/udp checksum) in fragment is harmful. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/xt_RAWNAT.c b/extensions/xt_RAWNAT.c index a52e614..858f911 100644 --- a/extensions/xt_RAWNAT.c +++ b/extensions/xt_RAWNAT.c @@ -109,7 +109,7 @@ static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip) static unsigned int rawnat4_writable_part(const struct iphdr *iph) { - unsigned int wlen = sizeof(*iph); + unsigned int wlen = iph->ihl * 4; switch (iph->protocol) { case IPPROTO_TCP:
Consider TCP/IPv4 packet with IP options: sizeof(*iph) + sizeof(struct tcphdr) is not enough to include tcp checksum. It may hurt if this packet is fragmented. Therefore we should use iph->ihl * 4 instead of sizeof(*iph). Signed-off-by: Dmitry Popov <dp@highloadlab.com> --- extensions/xt_RAWNAT.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html