On Fri, Dec 12, 2003 at 09:10:00PM +0100, Maciej Soltysiak wrote:
> > But iph is not used, we are using tcph later on in the code, so we should:
> >                 tcph = (*pskb)->nh.tcph;
> Of course I meant:
>                 tcph = (*pskb)->h.th;

I'll put the following patch in CVS and submit it for kernel inclusion:

--- linux/net/ipv4/netfilter/ipt_ECN.c	2003-12-13 09:54:14.000000000 +0100
+++ linux-new/net/ipv4/netfilter/ipt_ECN.c	2003-12-13 09:56:35.000000000 +0100
@@ -4,7 +4,7 @@
  * 
  * This software is distributed under GNU GPL v2, 1991
  * 
- * ipt_ECN.c,v 1.4 2002/08/05 19:36:51 laforge Exp
+ * ipt_ECN.c,v 1.5 2003/12/13 19:36:51 laforge Exp
 */
 
 #include <linux/module.h>
@@ -59,8 +59,8 @@
 	    const struct ipt_ECN_info *einfo)
 {
 
-	struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
-	u_int16_t *tcpflags = (u_int16_t *)tcph + 6;
+	struct tcphdr *tcph;
+	u_int16_t *tcpflags;
 	u_int16_t diffs[2];
 
 	/* raw socket (tcpdump) may have clone of incoming
@@ -71,9 +71,12 @@
 			return NF_DROP;
 		kfree_skb(*pskb);
 		*pskb = nskb;
-		iph = (*pskb)->nh.iph;
 	}
 
+	iph = (*pskb)->nh.iph;
+	tcph = (void *) iph + iph->ihl * 4;
+	tcpflags = (u_int16_t *)tcph + 6;
+
 	diffs[0] = *tcpflags;
 
 	if (einfo->operation & IPT_ECN_OP_SET_ECE

> Regards,
> Maciej
-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie