Commit 48f8e0af authored by David S. Miller's avatar David S. Miller

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
The following batch contains:

* Three fixes for the new synproxy target available in your
  net-next tree, from Jesper D. Brouer and Patrick McHardy.

* One fix for TCPMSS to correctly handling the fragmentation
  case, from Phil Oester. I'll pass this one to -stable.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents c995ae22 1205e1fa
...@@ -269,7 +269,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -269,7 +269,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
synproxy_parse_options(skb, par->thoff, th, &opts); synproxy_parse_options(skb, par->thoff, th, &opts);
if (th->syn && !th->ack) { if (th->syn && !(th->ack || th->fin || th->rst)) {
/* Initial SYN from client */ /* Initial SYN from client */
this_cpu_inc(snet->stats->syn_received); this_cpu_inc(snet->stats->syn_received);
...@@ -285,11 +285,15 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -285,11 +285,15 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
XT_SYNPROXY_OPT_ECN); XT_SYNPROXY_OPT_ECN);
synproxy_send_client_synack(skb, th, &opts); synproxy_send_client_synack(skb, th, &opts);
} else if (th->ack && !(th->fin || th->rst)) return NF_DROP;
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
/* ACK from client */ /* ACK from client */
synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
return NF_DROP;
}
return NF_DROP; return XT_CONTINUE;
} }
static unsigned int ipv4_synproxy_hook(unsigned int hooknum, static unsigned int ipv4_synproxy_hook(unsigned int hooknum,
......
...@@ -284,7 +284,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -284,7 +284,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
synproxy_parse_options(skb, par->thoff, th, &opts); synproxy_parse_options(skb, par->thoff, th, &opts);
if (th->syn) { if (th->syn && !(th->ack || th->fin || th->rst)) {
/* Initial SYN from client */ /* Initial SYN from client */
this_cpu_inc(snet->stats->syn_received); this_cpu_inc(snet->stats->syn_received);
...@@ -300,11 +300,15 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -300,11 +300,15 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
XT_SYNPROXY_OPT_ECN); XT_SYNPROXY_OPT_ECN);
synproxy_send_client_synack(skb, th, &opts); synproxy_send_client_synack(skb, th, &opts);
} else if (th->ack && !(th->fin || th->rst)) return NF_DROP;
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
/* ACK from client */ /* ACK from client */
synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
return NF_DROP;
}
return NF_DROP; return XT_CONTINUE;
} }
static unsigned int ipv6_synproxy_hook(unsigned int hooknum, static unsigned int ipv6_synproxy_hook(unsigned int hooknum,
......
...@@ -356,12 +356,12 @@ static int __net_init synproxy_net_init(struct net *net) ...@@ -356,12 +356,12 @@ static int __net_init synproxy_net_init(struct net *net)
goto err1; goto err1;
} }
__set_bit(IPS_TEMPLATE_BIT, &ct->status);
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
if (!nfct_seqadj_ext_add(ct)) if (!nfct_seqadj_ext_add(ct))
goto err2; goto err2;
if (!nfct_synproxy_ext_add(ct)) if (!nfct_synproxy_ext_add(ct))
goto err2; goto err2;
__set_bit(IPS_TEMPLATE_BIT, &ct->status);
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
snet->tmpl = ct; snet->tmpl = ct;
......
...@@ -60,7 +60,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, ...@@ -60,7 +60,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
/* This is a fragment, no TCP header is available */ /* This is a fragment, no TCP header is available */
if (par->fragoff != 0) if (par->fragoff != 0)
return XT_CONTINUE; return 0;
if (!skb_make_writable(skb, skb->len)) if (!skb_make_writable(skb, skb->len))
return -1; return -1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment