netfilter: SYNPROXY: let unrelated packets continue

Packets reaching SYNPROXY were default dropped, as they were most
likely invalid (given the recommended state matching).  This
patch, changes SYNPROXY target to let packets, not consumed,
continue being processed by the stack.

This will be more in line other target modules. As it will allow
more flexible configurations of handling, logging or matching on
packets in INVALID states.

Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 6 insertions, 2 deletions

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 90e489eb1c0a..67e17dcda65e 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -285,11 +285,15 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
                                           XT_SYNPROXY_OPT_ECN);
 
                 synproxy_send_client_synack(skb, th, &opts);
-        } else if (th->ack && !(th->fin || th->rst || th->syn))
+                return NF_DROP;
+
+        } else if (th->ack && !(th->fin || th->rst || th->syn)) {
                 /* ACK from client */
                 synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
+                return NF_DROP;
+        }
 
-        return NF_DROP;
+        return XT_CONTINUE;
 }
 
 static unsigned int ipv4_synproxy_hook(unsigned int hooknum,