Skip to content

v4.1.8
Compare
Choose a tag to compare
@ydahhrk ydahhrk released this 21 Mar 01:42
v4.1.8
This tag was signed with the committer’s verified signature.
ydahhrk Alberto Leiva Popper
GPG key ID: 72160FD57B242967
Learn about vigilant mode.
6822bde
This commit was signed with the committer’s verified signature.
ydahhrk Alberto Leiva Popper
GPG key ID: 72160FD57B242967
Learn about vigilant mode.

Improvements since 4.1.7:

  • #366, #375: Fix checksums in Slow Path.
    This is a fairly critical bug; please upgrade. It affects packets that fulfill the following conditions:
    • IPv4-to-IPv6
    • Not ICMP error
    • Incoming packet’s DF was disabled
    • Packet was large, or GRO-aggregated
  • Add validation to more verbosely reject IPv6 packets that contain more than one fragment header.
  • Add validation to more verbosely reject fragmented (and not reassembled by nf_defrag_ipv*) ICMP errors.
    (Aside from being fairly illegal, these packets cannot be translated because the "ICMPv6 length" of the ICMP pseudoheader is unknown.)
  • Bugfix: When routing TCP/UDP fragments, the code was including header ports even though nonzero fragment-offset packets lack TCP/UDP headers.
    This bug probably doesn't affect you, unless your routing is somehow port-based.
Assets 6
Loading