Turn on NFQA_CFG_F_GSO option for NFQUEUE

This patch is required to deal with fragmented IP packets. It has been
revealed that without this option Nether has IP fragments without valid
credentials (UID/GID, security context) delivered. These fragments are
passed to the backup back-end which accepts them.
In result some fragments reach a network interface, which is not
what we expect. Of course, a listener is not able to receive such
traffic because of lack of important fragments.

Change-Id: I7485cc97f298c0cc73e3c011421de445ef1aaa02

diff --git a/src/nether_Netlink.cpp b/src/nether_Netlink.cpp
index a0ef40a..b8b3731 100644 (file)
--- a/src/nether_Netlink.cpp
+++ b/src/nether_Netlink.cpp
@@ -82,6 +82,15 @@ bool NetherNetlink::initialize()
                return (false);
        }
 
+       // You should be aware that when you turn on copying of packets (NFQNL_COPY_PACKET)
+       // then you will receive whole packets.
+       if(nfq_set_queue_flags(queueHandle, NFQA_CFG_F_GSO, NFQA_CFG_F_GSO))
+       {
+               LOGE("This kernel version does not allow to set NFQA_CFG_F_GSO");
+               nfq_destroy_queue(queueHandle);
+               return (false);
+       }
+
        if (netherConfig.interfaceInfo)
        {
                nlif = nlif_open();