diff options
| author | Gao Feng <fgao@ikuai8.com> | 2017-04-20 14:01:45 +0800 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-04-26 09:30:22 +0200 |
| commit | 495dcb56d09ddb63afe30e799af41876c3f061cc (patch) | |
| tree | a1f3b7af426436ea25763e5c8f5fe58d29c63263 /net/netfilter/nf_nat_core.c | |
| parent | aee12a0a3727e16fb837367c4755cb6daaf45109 (diff) | |
| download | op-kernel-dev-495dcb56d09ddb63afe30e799af41876c3f061cc.zip op-kernel-dev-495dcb56d09ddb63afe30e799af41876c3f061cc.tar.gz | |
netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking
Current SYNPROXY codes return NF_DROP during normal TCP handshaking,
it is not friendly to caller. Because the nf_hook_slow would treat
the NF_DROP as an error, and return -EPERM.
As a result, it may cause the top caller think it meets one error.
For example, the following codes are from cfv_rx_poll()
err = netif_receive_skb(skb);
if (unlikely(err)) {
++cfv->ndev->stats.rx_dropped;
} else {
++cfv->ndev->stats.rx_packets;
cfv->ndev->stats.rx_bytes += skb_len;
}
When SYNPROXY returns NF_DROP, then netif_receive_skb returns -EPERM.
As a result, the cfv driver would treat it as an error, and increase
the rx_dropped counter.
So use NF_STOLEN instead of NF_DROP now because there is no error
happened indeed, and free the skb directly.
Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nf_nat_core.c')
0 files changed, 0 insertions, 0 deletions
