Commit 7cc9eb6e authored by Jesper Dangaard Brouer's avatar Jesper Dangaard Brouer Committed by Pablo Neira Ayuso

netfilter: SYNPROXY: let unrelated packets continue

Packets reaching SYNPROXY were default dropped, as they were most
likely invalid (given the recommended state matching).  This
patch, changes SYNPROXY target to let packets, not consumed,
continue being processed by the stack.

This will be more in line other target modules. As it will allow
more flexible configurations of handling, logging or matching on
packets in INVALID states.
Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
Acked-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f4de4c89
...@@ -285,11 +285,15 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -285,11 +285,15 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
XT_SYNPROXY_OPT_ECN); XT_SYNPROXY_OPT_ECN);
synproxy_send_client_synack(skb, th, &opts); synproxy_send_client_synack(skb, th, &opts);
} else if (th->ack && !(th->fin || th->rst || th->syn)) return NF_DROP;
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
/* ACK from client */ /* ACK from client */
synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
return NF_DROP;
}
return NF_DROP; return XT_CONTINUE;
} }
static unsigned int ipv4_synproxy_hook(unsigned int hooknum, static unsigned int ipv4_synproxy_hook(unsigned int hooknum,
......
...@@ -300,11 +300,15 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -300,11 +300,15 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
XT_SYNPROXY_OPT_ECN); XT_SYNPROXY_OPT_ECN);
synproxy_send_client_synack(skb, th, &opts); synproxy_send_client_synack(skb, th, &opts);
} else if (th->ack && !(th->fin || th->rst || th->syn)) return NF_DROP;
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
/* ACK from client */ /* ACK from client */
synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
return NF_DROP;
}
return NF_DROP; return XT_CONTINUE;
} }
static unsigned int ipv6_synproxy_hook(unsigned int hooknum, static unsigned int ipv6_synproxy_hook(unsigned int hooknum,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment