Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 48f8e0af authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
The following batch contains:

* Three fixes for the new synproxy target available in your
  net-next tree, from Jesper D. Brouer and Patrick McHardy.

* One fix for TCPMSS to correctly handling the fragmentation
  case, from Phil Oester. I'll pass this one to -stable.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents c995ae22 1205e1fa

net/ipv4/netfilter/ipt_SYNPROXY.c

+7 −3
Original line number Diff line number Diff line
@@ -269,7 +269,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) 


	synproxy_parse_options(skb, par->thoff, th, &opts);



	if (th->syn && !th->ack) {

	if (th->syn && !(th->ack || th->fin || th->rst)) {

		/* Initial SYN from client */

		this_cpu_inc(snet->stats->syn_received);
@@ -285,13 +285,17 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) 
					  XT_SYNPROXY_OPT_ECN);



		synproxy_send_client_synack(skb, th, &opts);

	} else if (th->ack && !(th->fin || th->rst))

		return NF_DROP;



	} else if (th->ack && !(th->fin || th->rst || th->syn)) {

		/* ACK from client */

		synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));



		return NF_DROP;

	}



	return XT_CONTINUE;

}



static unsigned int ipv4_synproxy_hook(unsigned int hooknum,

				       struct sk_buff *skb,

				       const struct net_device *in,

net/ipv6/netfilter/ip6t_SYNPROXY.c

+7 −3
Original line number Diff line number Diff line
@@ -284,7 +284,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) 


	synproxy_parse_options(skb, par->thoff, th, &opts);



	if (th->syn) {

	if (th->syn && !(th->ack || th->fin || th->rst)) {

		/* Initial SYN from client */

		this_cpu_inc(snet->stats->syn_received);
@@ -300,13 +300,17 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) 
					  XT_SYNPROXY_OPT_ECN);



		synproxy_send_client_synack(skb, th, &opts);

	} else if (th->ack && !(th->fin || th->rst))

		return NF_DROP;



	} else if (th->ack && !(th->fin || th->rst || th->syn)) {

		/* ACK from client */

		synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));



		return NF_DROP;

	}



	return XT_CONTINUE;

}



static unsigned int ipv6_synproxy_hook(unsigned int hooknum,

				       struct sk_buff *skb,

				       const struct net_device *in,

net/netfilter/nf_synproxy_core.c

+2 −2
Original line number Diff line number Diff line
@@ -356,12 +356,12 @@ static int __net_init synproxy_net_init(struct net *net) 
		goto err1;

	}



	__set_bit(IPS_TEMPLATE_BIT, &ct->status);

	__set_bit(IPS_CONFIRMED_BIT, &ct->status);

	if (!nfct_seqadj_ext_add(ct))

		goto err2;

	if (!nfct_synproxy_ext_add(ct))

		goto err2;

	__set_bit(IPS_TEMPLATE_BIT, &ct->status);

	__set_bit(IPS_CONFIRMED_BIT, &ct->status);



	snet->tmpl = ct;

net/netfilter/xt_TCPMSS.c

+1 −1
Original line number Diff line number Diff line
@@ -60,7 +60,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, 


	/* This is a fragment, no TCP header is available */

	if (par->fragoff != 0)

		return XT_CONTINUE;

		return 0;



	if (!skb_make_writable(skb, skb->len))

		return -1;