, but from my (limited) understanding of ALGs
this isn't a good enough reason.
Does it ever make sense to drop packets in an ALG?
Blair Steven (1):
Accept packets that the H.245 ALG can't process
net/netfilter/nf_conntrack_h323_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions
to the forwarding
engine.
Signed-off-by: Blair Steven <blair.ste...@alliedtelesis.co.nz>
---
net/netfilter/nf_conntrack_h323_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_h323_main.c
b/net/netfilter/nf_conntrack_h323_main.c
index 3
transport header (which isn't
>> quite right because UDP still is the transport protocol), we can
>> just save the offset locally. Something like this:
>>
>> ---8<---
>> Blair Steven noticed that ESN in conjunction with UDP encapsulation
>> is broken because we set
/ dest ports + SPI.
-Blair
On 06/13/2016 10:20 PM, Steffen Klassert wrote:
> On Mon, Jun 13, 2016 at 11:48:13AM +1200, Blair Steven wrote:
>> During testing we have discovered an issue with IPsec NAT-T where the SPI
>> is over writing the source and dest ports of the UDP header.
>
The offset for calculating ESN was not taking into account the new UDP
header created for NAT-T.
---
net/ipv4/esp4.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 4779374..c84d1fc 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -223,6 +223,8
to be doing
here, or if it should be done elsewhere.
Thanks very much
Blair Steven (1):
esp: correct offset for ESN when using NAT-T
net/ipv4/esp4.c | 2 ++
1 file changed, 2 insertions(+)
--
2.8.3
