synproxy must never be used in output rules, doing so results in kernel
crash due to infinite recursive calls back to nf_hook_slow() for the
emitted reply packet.
Up until recently kernel lacked this validation, and now that the kernel
rejects this the test fails. Use input to make this pass again.
A new test to ensure we reject synproxy in ouput should be added
in the near future.
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / commit
