netfilter: more strict TCP flag matching in SYNPROXY

[karo-tx-linux.git] / net / ipv4 / netfilter / ipt_SYNPROXY.c

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 94371db6aeccc0a99c53da339cf7b068b0008254..90e489eb1c0a346cfe0c5c15cf52900f908f0a2f 100644 (file)
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -269,7 +269,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 
        synproxy_parse_options(skb, par->thoff, th, &opts);
 
-       if (th->syn && !th->ack) {
+       if (th->syn && !(th->ack || th->fin || th->rst)) {
                /* Initial SYN from client */
                this_cpu_inc(snet->stats->syn_received);
 
@@ -285,7 +285,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
                                          XT_SYNPROXY_OPT_ECN);
 
                synproxy_send_client_synack(skb, th, &opts);
-       } else if (th->ack && !(th->fin || th->rst))
+       } else if (th->ack && !(th->fin || th->rst || th->syn))
                /* ACK from client */
                synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));