summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2019-05-21 13:24:30 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2019-05-22 10:51:49 +0200
commite75b3e1c9bc5b997d09bdf8eb72ab3dd3c1a7072 (patch)
tree767e4fd65dd100d9df194a9f5ef588a41b079737 /net
parent6bac76db1da3cb162c425d58ae421486f8e43955 (diff)
downloadlinux-e75b3e1c9bc5b997d09bdf8eb72ab3dd3c1a7072.tar.gz
linux-e75b3e1c9bc5b997d09bdf8eb72ab3dd3c1a7072.tar.bz2
linux-e75b3e1c9bc5b997d09bdf8eb72ab3dd3c1a7072.zip
netfilter: nf_flow_table: ignore DF bit setting
Its irrelevant if the DF bit is set or not, we must pass packet to stack in either case. If the DF bit is set, we must pass it to stack so the appropriate ICMP error can be generated. If the DF is not set, we must pass it to stack for fragmentation. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_flow_table_ip.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 0d603e20b519..bfd44db9f214 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -243,8 +243,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
outdev = rt->dst.dev;
- if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) &&
- (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0)
+ if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
return NF_ACCEPT;
if (skb_try_make_writable(skb, sizeof(*iph)))