On Sun,  7 Jun 2026 19:35:46 +0000 Samuel Moelius wrote:

The extended IPv4 L4 header mode in act_pedit can select TCP or UDP
header fields without confirming that the IPv4 protocol field matches
the selected transport header.

That lets a rule written for TCP or UDP modify unrelated payload bytes
in a packet carrying a different protocol.

Verify that the IPv4 header is long enough, that the protocol matches
the selected TCP or UDP header, and that the packet is not a non-initial
fragment before applying TCP or UDP extended header edits.

This is a hardening patch?

It doesn't apply to either networking tree cleanly, please rebase on
net (if it's a fix) and net-next (if it's hardening) and repost
-- 
pw-bot: cr