Lorenzo Bianconi <lorenzo@xxxxxxxxxx> wrote: > I guess the point is we run nf_flow_skb_encap_protocol() not only for IPIP > traffic but even for plain IP traffic (e.g. IP+UDP) in nf_flow_offload_lookup(). > In particular, we run the following check in nf_flow_tuple_ip() for IP+UDP > traffic: > > pskb_may_pull(, 28) > > That is less restrictive with respect to > > pskb_may_pull(, 40) Its in different functions? 40 bytes in linear area is a prerequisite for IPIP, and a check failure will not drop the skb; we'll still progress onwards to . But ok, it will be caught later too, so lets keep it as-is.
