@@ -185,11 +185,7 @@ client_nat_transform(const struct client_nat_option_list *list, struct buffer *i

                      const int direction)

 {

     struct ip_tcp_udp_hdr *h = (struct ip_tcp_udp_hdr *)BPTR(ipbuf);

-    int i;

-    uint32_t addr, *addr_ptr;

-    const uint32_t *from, *to;

-    int accumulate = 0;

-    unsigned int amask;

+    int32_t accumulate = 0;

     unsigned int alog = 0;

     if (check_debug_level(D_CLIENT_NAT))

@@ -197,8 +193,11 @@ client_nat_transform(const struct client_nat_option_list *list, struct buffer *i

         print_pkt(&h->ip, "BEFORE", direction, D_CLIENT_NAT);

     }

-    for (i = 0; i < list->n; ++i)

+    for (int i = 0; i < list->n; ++i)

     {

+        uint32_t addr, *addr_ptr;

+        const uint32_t *from, *to;

+        unsigned int amask;

         const struct client_nat_entry *e = &list->entries[i]; /* current NAT rule */

         if (e->type ^ direction)

         {

@@ -130,11 +130,6 @@ mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss)

     }

 }

-#if defined(__GNUC__) || defined(__clang__)

-#pragma GCC diagnostic push

-#pragma GCC diagnostic ignored "-Wconversion"

-#endif

-

 /*

  * change TCP MSS option in SYN/SYN-ACK packets, if present

  * this is generic for IPv4 and IPv6, as the TCP header is the same

@@ -143,11 +138,8 @@ mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss)

 void

 mss_fixup_dowork(struct buffer *buf, uint16_t maxmss)

 {

-    int hlen, olen, optlen;

+    int olen, optlen;

     uint8_t *opt;

-    uint16_t mssval;

-    int accumulate;

-    struct openvpn_tcphdr *tc;

     if (BLEN(buf) < (int)sizeof(struct openvpn_tcphdr))

     {

@@ -155,8 +147,8 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss)

     }

     verify_align_4(buf);

-    tc = (struct openvpn_tcphdr *)BPTR(buf);

-    hlen = OPENVPN_TCPH_GET_DOFF(tc->doff_res);

+    struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *)BPTR(buf);

+    int hlen = OPENVPN_TCPH_GET_DOFF(tc->doff_res);

     /* Invalid header length or header without options. */

     if (hlen <= (int)sizeof(struct openvpn_tcphdr) || hlen > BLEN(buf))

@@ -171,43 +163,37 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss)

         {

             break;

         }

-        else if (*opt == OPENVPN_TCPOPT_NOP)

+        if (*opt == OPENVPN_TCPOPT_NOP)

         {

             optlen = 1;

+            continue;

+        }

+

+        optlen = *(opt + 1);

+        if (optlen <= 0 || optlen > olen)

+        {

+            break;

         }

-        else

+        if (*opt == OPENVPN_TCPOPT_MAXSEG)

         {

-            optlen = *(opt + 1);

-            if (optlen <= 0 || optlen > olen)

+            if (optlen != OPENVPN_TCPOLEN_MAXSEG)

             {

-                break;

+                continue;

             }

-            if (*opt == OPENVPN_TCPOPT_MAXSEG)

+            uint16_t mssval = (uint16_t)(opt[2] << 8) + opt[3];

+            if (mssval > maxmss)

             {

-                if (optlen != OPENVPN_TCPOLEN_MAXSEG)

-                {

-                    continue;

-                }

-                mssval = opt[2] << 8;

-                mssval += opt[3];

-                if (mssval > maxmss)

-                {

-                    dmsg(D_MSS, "MSS: %" PRIu16 " -> %" PRIu16, mssval, maxmss);

-                    accumulate = htons(mssval);

-                    opt[2] = (uint8_t)((maxmss >> 8) & 0xff);

-                    opt[3] = (uint8_t)(maxmss & 0xff);

-                    accumulate -= htons(maxmss);

-                    ADJUST_CHECKSUM(accumulate, tc->check);

-                }

+                dmsg(D_MSS, "MSS: %" PRIu16 " -> %" PRIu16, mssval, maxmss);

+                opt[2] = (uint8_t)((maxmss >> 8) & 0xff);

+                opt[3] = (uint8_t)(maxmss & 0xff);

+                int32_t accumulate = htons(mssval);

+                accumulate -= htons(maxmss);

+                ADJUST_CHECKSUM(accumulate, tc->check);

             }

         }

     }

 }

-#if defined(__GNUC__) || defined(__clang__)

-#pragma GCC diagnostic pop

-#endif

-

 static inline size_t

 adjust_payload_max_cbc(const struct key_type *kt, size_t target)

 {

@@ -214,7 +214,7 @@ struct ip_tcp_udp_hdr

  */

 #define ADJUST_CHECKSUM(acc, cksum)                \

     {                                              \

-        int _acc = acc;                            \

+        int32_t _acc = acc;                        \

         _acc += (cksum);                           \

         if (_acc < 0)                              \

         {                                          \

@@ -231,16 +231,16 @@ struct ip_tcp_udp_hdr

         }                                          \

     }

-#define ADD_CHECKSUM_32(acc, u32) \

-    {                             \

-        acc += (u32) & 0xffff;    \

-        acc += (u32) >> 16;       \

+#define ADD_CHECKSUM_32(acc, u32)         \

+    {                                     \

+        acc += (int32_t)((u32) & 0xffff); \

+        acc += (int32_t)((u32) >> 16);    \

     }

-#define SUB_CHECKSUM_32(acc, u32) \

-    {                             \

-        acc -= (u32) & 0xffff;    \

-        acc -= (u32) >> 16;       \

+#define SUB_CHECKSUM_32(acc, u32)         \

+    {                                     \

+        acc -= (int32_t)((u32) & 0xffff); \

+        acc -= (int32_t)((u32) >> 16);    \

     }

 /*