Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
The following batch contains:

* Three fixes for the new synproxy target available in your
  net-next tree, from Jesper D. Brouer and Patrick McHardy.

* One fix for TCPMSS to correctly handling the fragmentation
  case, from Phil Oester. I'll pass this one to -stable.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 7 insertions, 3 deletions

diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 4270a9b145e5..19cfea8dbcaa 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -284,7 +284,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 
         synproxy_parse_options(skb, par->thoff, th, &opts);
 
-        if (th->syn) {
+        if (th->syn && !(th->ack || th->fin || th->rst)) {
                 /* Initial SYN from client */
                 this_cpu_inc(snet->stats->syn_received);
 
@@ -300,11 +300,15 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
                                           XT_SYNPROXY_OPT_ECN);
 
                 synproxy_send_client_synack(skb, th, &opts);
-        } else if (th->ack && !(th->fin || th->rst))
+                return NF_DROP;
+
+        } else if (th->ack && !(th->fin || th->rst || th->syn)) {
                 /* ACK from client */
                 synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
+                return NF_DROP;
+        }
 
-        return NF_DROP;
+        return XT_CONTINUE;
 }
 
 static unsigned int ipv6_synproxy_hook(unsigned int hooknum,