This patch is required to deal with fragmented IP packets. It has been
revealed that without this option Nether has IP fragments without valid
credentials (UID/GID, security context) delivered. These fragments are
passed to the backup back-end which accepts them.
In result some fragments reach a network interface, which is not
what we expect. Of course, a listener is not able to receive such
traffic because of lack of important fragments.
Change-Id: I7485cc97f298c0cc73e3c011421de445ef1aaa02
return (false);
}
+ // You should be aware that when you turn on copying of packets (NFQNL_COPY_PACKET)
+ // then you will receive whole packets.
+ if(nfq_set_queue_flags(queueHandle, NFQA_CFG_F_GSO, NFQA_CFG_F_GSO))
+ {
+ LOGE("This kernel version does not allow to set NFQA_CFG_F_GSO");
+ nfq_destroy_queue(queueHandle);
+ return (false);
+ }
+
if (netherConfig.interfaceInfo)
{
nlif = nlif_open();