diff options
| author | David S. Miller <davem@davemloft.net> | 2013-09-04 12:28:02 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-09-04 12:28:02 -0400 |
| commit | 48f8e0af8668351e249f817406c770a36e2274db (patch) | |
| tree | ccc4d0f20ab64aba3de1ab6b0c797bbf6b1d678c | |
| parent | c995ae2259ee36caf48bbfacf40111998dacd4af (diff) | |
| parent | 1205e1fa615805c9efa97303b552cf445965752a (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
The following batch contains:
* Three fixes for the new synproxy target available in your
net-next tree, from Jesper D. Brouer and Patrick McHardy.
* One fix for TCPMSS to correctly handling the fragmentation
case, from Phil Oester. I'll pass this one to -stable.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv4/netfilter/ipt_SYNPROXY.c | 10 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_SYNPROXY.c | 10 | ||||
| -rw-r--r-- | net/netfilter/nf_synproxy_core.c | 4 | ||||
| -rw-r--r-- | net/netfilter/xt_TCPMSS.c | 2 |
4 files changed, 17 insertions, 9 deletions
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index 94371db6aecc..67e17dcda65e 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c | |||
| @@ -269,7 +269,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 269 | 269 | ||
| 270 | synproxy_parse_options(skb, par->thoff, th, &opts); | 270 | synproxy_parse_options(skb, par->thoff, th, &opts); |
| 271 | 271 | ||
| 272 | if (th->syn && !th->ack) { | 272 | if (th->syn && !(th->ack || th->fin || th->rst)) { |
| 273 | /* Initial SYN from client */ | 273 | /* Initial SYN from client */ |
| 274 | this_cpu_inc(snet->stats->syn_received); | 274 | this_cpu_inc(snet->stats->syn_received); |
| 275 | 275 | ||
| @@ -285,11 +285,15 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 285 | XT_SYNPROXY_OPT_ECN); | 285 | XT_SYNPROXY_OPT_ECN); |
| 286 | 286 | ||
| 287 | synproxy_send_client_synack(skb, th, &opts); | 287 | synproxy_send_client_synack(skb, th, &opts); |
| 288 | } else if (th->ack && !(th->fin || th->rst)) | 288 | return NF_DROP; |
| 289 | |||
| 290 | } else if (th->ack && !(th->fin || th->rst || th->syn)) { | ||
| 289 | /* ACK from client */ | 291 | /* ACK from client */ |
| 290 | synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); | 292 | synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); |
| 293 | return NF_DROP; | ||
| 294 | } | ||
| 291 | 295 | ||
| 292 | return NF_DROP; | 296 | return XT_CONTINUE; |
| 293 | } | 297 | } |
| 294 | 298 | ||
| 295 | static unsigned int ipv4_synproxy_hook(unsigned int hooknum, | 299 | static unsigned int ipv4_synproxy_hook(unsigned int hooknum, |
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c index 4270a9b145e5..19cfea8dbcaa 100644 --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c | |||
| @@ -284,7 +284,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 284 | 284 | ||
| 285 | synproxy_parse_options(skb, par->thoff, th, &opts); | 285 | synproxy_parse_options(skb, par->thoff, th, &opts); |
| 286 | 286 | ||
| 287 | if (th->syn) { | 287 | if (th->syn && !(th->ack || th->fin || th->rst)) { |
| 288 | /* Initial SYN from client */ | 288 | /* Initial SYN from client */ |
| 289 | this_cpu_inc(snet->stats->syn_received); | 289 | this_cpu_inc(snet->stats->syn_received); |
| 290 | 290 | ||
| @@ -300,11 +300,15 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 300 | XT_SYNPROXY_OPT_ECN); | 300 | XT_SYNPROXY_OPT_ECN); |
| 301 | 301 | ||
| 302 | synproxy_send_client_synack(skb, th, &opts); | 302 | synproxy_send_client_synack(skb, th, &opts); |
| 303 | } else if (th->ack && !(th->fin || th->rst)) | 303 | return NF_DROP; |
| 304 | |||
| 305 | } else if (th->ack && !(th->fin || th->rst || th->syn)) { | ||
| 304 | /* ACK from client */ | 306 | /* ACK from client */ |
| 305 | synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); | 307 | synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); |
| 308 | return NF_DROP; | ||
| 309 | } | ||
| 306 | 310 | ||
| 307 | return NF_DROP; | 311 | return XT_CONTINUE; |
| 308 | } | 312 | } |
| 309 | 313 | ||
| 310 | static unsigned int ipv6_synproxy_hook(unsigned int hooknum, | 314 | static unsigned int ipv6_synproxy_hook(unsigned int hooknum, |
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c index d23dc791aca7..6fd967c6278c 100644 --- a/net/netfilter/nf_synproxy_core.c +++ b/net/netfilter/nf_synproxy_core.c | |||
| @@ -356,12 +356,12 @@ static int __net_init synproxy_net_init(struct net *net) | |||
| 356 | goto err1; | 356 | goto err1; |
| 357 | } | 357 | } |
| 358 | 358 | ||
| 359 | __set_bit(IPS_TEMPLATE_BIT, &ct->status); | ||
| 360 | __set_bit(IPS_CONFIRMED_BIT, &ct->status); | ||
| 361 | if (!nfct_seqadj_ext_add(ct)) | 359 | if (!nfct_seqadj_ext_add(ct)) |
| 362 | goto err2; | 360 | goto err2; |
| 363 | if (!nfct_synproxy_ext_add(ct)) | 361 | if (!nfct_synproxy_ext_add(ct)) |
| 364 | goto err2; | 362 | goto err2; |
| 363 | __set_bit(IPS_TEMPLATE_BIT, &ct->status); | ||
| 364 | __set_bit(IPS_CONFIRMED_BIT, &ct->status); | ||
| 365 | 365 | ||
| 366 | snet->tmpl = ct; | 366 | snet->tmpl = ct; |
| 367 | 367 | ||
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 6113cc7efffc..cd24290f3b2f 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c | |||
| @@ -60,7 +60,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, | |||
| 60 | 60 | ||
| 61 | /* This is a fragment, no TCP header is available */ | 61 | /* This is a fragment, no TCP header is available */ |
| 62 | if (par->fragoff != 0) | 62 | if (par->fragoff != 0) |
| 63 | return XT_CONTINUE; | 63 | return 0; |
| 64 | 64 | ||
| 65 | if (!skb_make_writable(skb, skb->len)) | 65 | if (!skb_make_writable(skb, skb->len)) |
| 66 | return -1; | 66 | return -1; |