diff options
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/ip6t_SYNPROXY.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c index 4270a9b145e5..19cfea8dbcaa 100644 --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c | |||
| @@ -284,7 +284,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 284 | 284 | ||
| 285 | synproxy_parse_options(skb, par->thoff, th, &opts); | 285 | synproxy_parse_options(skb, par->thoff, th, &opts); |
| 286 | 286 | ||
| 287 | if (th->syn) { | 287 | if (th->syn && !(th->ack || th->fin || th->rst)) { |
| 288 | /* Initial SYN from client */ | 288 | /* Initial SYN from client */ |
| 289 | this_cpu_inc(snet->stats->syn_received); | 289 | this_cpu_inc(snet->stats->syn_received); |
| 290 | 290 | ||
| @@ -300,11 +300,15 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 300 | XT_SYNPROXY_OPT_ECN); | 300 | XT_SYNPROXY_OPT_ECN); |
| 301 | 301 | ||
| 302 | synproxy_send_client_synack(skb, th, &opts); | 302 | synproxy_send_client_synack(skb, th, &opts); |
| 303 | } else if (th->ack && !(th->fin || th->rst)) | 303 | return NF_DROP; |
| 304 | |||
| 305 | } else if (th->ack && !(th->fin || th->rst || th->syn)) { | ||
| 304 | /* ACK from client */ | 306 | /* ACK from client */ |
| 305 | synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); | 307 | synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); |
| 308 | return NF_DROP; | ||
| 309 | } | ||
| 306 | 310 | ||
| 307 | return NF_DROP; | 311 | return XT_CONTINUE; |
| 308 | } | 312 | } |
| 309 | 313 | ||
| 310 | static unsigned int ipv6_synproxy_hook(unsigned int hooknum, | 314 | static unsigned int ipv6_synproxy_hook(unsigned int hooknum, |