Improvements since 4.1.7:
- #366, #375: Fix checksums in Slow Path.
This is a fairly critical bug; please upgrade. It affects packets that fulfill the following conditions:- IPv4-to-IPv6
- Not ICMP error
- Incoming packet’s DF was disabled
- Packet was large, or GRO-aggregated
- Add validation to more verbosely reject IPv6 packets that contain more than one fragment header.
- Add validation to more verbosely reject fragmented (and not reassembled by nf_defrag_ipv*) ICMP errors.
(Aside from being fairly illegal, these packets cannot be translated because the "ICMPv6 length" of the ICMP pseudoheader is unknown.) - Bugfix: When routing TCP/UDP fragments, the code was including header ports even though nonzero fragment-offset packets lack TCP/UDP headers.
This bug probably doesn't affect you, unless your routing is somehow port-based.