diff options
| author | Florian Westphal <fw@strlen.de> | 2019-05-21 13:24:30 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-05-22 10:51:49 +0200 |
| commit | e75b3e1c9bc5b997d09bdf8eb72ab3dd3c1a7072 (patch) | |
| tree | 767e4fd65dd100d9df194a9f5ef588a41b079737 /net/netfilter/nf_flow_table_ip.c | |
| parent | 6bac76db1da3cb162c425d58ae421486f8e43955 (diff) | |
| download | linux-e75b3e1c9bc5b997d09bdf8eb72ab3dd3c1a7072.tar.gz | |
netfilter: nf_flow_table: ignore DF bit setting
Its irrelevant if the DF bit is set or not, we must pass packet to
stack in either case.
If the DF bit is set, we must pass it to stack so the appropriate
ICMP error can be generated.
If the DF is not set, we must pass it to stack for fragmentation.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nf_flow_table_ip.c')
| -rw-r--r-- | net/netfilter/nf_flow_table_ip.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 0d603e20b519f..bfd44db9f2142 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -243,8 +243,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache; outdev = rt->dst.dev; - if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) && - (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0) + if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu))) return NF_ACCEPT; if (skb_try_make_writable(skb, sizeof(*iph))) |