mirror of
https://git.netfilter.org/nftables
synced 2026-01-26 10:34:27 +00:00
6b71d11491
synproxy must never be used in output rules, doing so results in kernel crash due to infinite recursive calls back to nf_hook_slow() for the emitted reply packet. Up until recently kernel lacked this validation, and now that the kernel rejects this the test fails. Use input to make this pass again. A new test to ensure we reject synproxy in ouput should be added in the near future. Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>