diff options
author | David S. Miller <davem@davemloft.net> | 2013-09-04 12:28:02 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-09-04 12:28:02 -0400 |
commit | 48f8e0af8668351e249f817406c770a36e2274db (patch) | |
tree | ccc4d0f20ab64aba3de1ab6b0c797bbf6b1d678c /net/ipv4 | |
parent | c995ae2259ee36caf48bbfacf40111998dacd4af (diff) | |
parent | 1205e1fa615805c9efa97303b552cf445965752a (diff) | |
download | op-kernel-dev-48f8e0af8668351e249f817406c770a36e2274db.zip op-kernel-dev-48f8e0af8668351e249f817406c770a36e2274db.tar.gz |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
The following batch contains:
* Three fixes for the new synproxy target available in your
net-next tree, from Jesper D. Brouer and Patrick McHardy.
* One fix for TCPMSS to correctly handling the fragmentation
case, from Phil Oester. I'll pass this one to -stable.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/ipt_SYNPROXY.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index 94371db..67e17dc 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c @@ -269,7 +269,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) synproxy_parse_options(skb, par->thoff, th, &opts); - if (th->syn && !th->ack) { + if (th->syn && !(th->ack || th->fin || th->rst)) { /* Initial SYN from client */ this_cpu_inc(snet->stats->syn_received); @@ -285,11 +285,15 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) XT_SYNPROXY_OPT_ECN); synproxy_send_client_synack(skb, th, &opts); - } else if (th->ack && !(th->fin || th->rst)) + return NF_DROP; + + } else if (th->ack && !(th->fin || th->rst || th->syn)) { /* ACK from client */ synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); + return NF_DROP; + } - return NF_DROP; + return XT_CONTINUE; } static unsigned int ipv4_synproxy_hook(unsigned int hooknum, |