[PATCH] remove overzealous checks in REJECT target

Carl-Daniel Hailfinger c-d.hailfinger.kernel.2004 at gmx.net
Wed Dec 1 07:41:39 CET 2004


Hi,

after wondering why the REJECT target didn't work as expected
when scanned with nmap -sO, I found a check in ipt_REJECT.c
for 8 or more bytes of proto header which caused all packets
gernated by nmap to be dropped although they were sent to the
REJECT target. Since I could not see any use for the proto
header length check, I replaced it with a warning.
Now the REJECT target works as expected for all packets I
could thow at it.

Regards,
Carl-Daniel
-- 
http://www.hailfinger.org/

Signed-off-by Carl-Daniel Hailfinger <c-d.hailfinger.kernel.2004 at gmx.net>
--- linux-2.6.9/net/ipv4/netfilter/ipt_REJECT.c~	Wed Dec  1 06:38:06 2004
+++ linux-2.6.9/net/ipv4/netfilter/ipt_REJECT.c	Wed Dec  1 06:41:04 2004
@@ -255,7 +255,7 @@ static void send_unreach(struct sk_buff

 	/* Ensure we have at least 8 bytes of proto header. */
 	if (skb_in->len < skb_in->nh.iph->ihl*4 + 8)
-		return;
+		printk("REJECT: we have less than 8 bytes of proto header.\n");

 	/* if UDP checksum is set, verify it's correct */
 	if (iph->protocol == IPPROTO_UDP



More information about the netfilter-devel mailing list