[PATCH] remove overzealous checks in REJECT target
Carl-Daniel Hailfinger
c-d.hailfinger.kernel.2004 at gmx.net
Wed Dec 1 07:41:39 CET 2004
Hi,
after wondering why the REJECT target didn't work as expected
when scanned with nmap -sO, I found a check in ipt_REJECT.c
for 8 or more bytes of proto header which caused all packets
gernated by nmap to be dropped although they were sent to the
REJECT target. Since I could not see any use for the proto
header length check, I replaced it with a warning.
Now the REJECT target works as expected for all packets I
could thow at it.
Regards,
Carl-Daniel
--
http://www.hailfinger.org/
Signed-off-by Carl-Daniel Hailfinger <c-d.hailfinger.kernel.2004 at gmx.net>
--- linux-2.6.9/net/ipv4/netfilter/ipt_REJECT.c~ Wed Dec 1 06:38:06 2004
+++ linux-2.6.9/net/ipv4/netfilter/ipt_REJECT.c Wed Dec 1 06:41:04 2004
@@ -255,7 +255,7 @@ static void send_unreach(struct sk_buff
/* Ensure we have at least 8 bytes of proto header. */
if (skb_in->len < skb_in->nh.iph->ihl*4 + 8)
- return;
+ printk("REJECT: we have less than 8 bytes of proto header.\n");
/* if UDP checksum is set, verify it's correct */
if (iph->protocol == IPPROTO_UDP
More information about the netfilter-devel
mailing list