On Wed, Aug 28, 2013 at 03:14:38PM +0200, Jesper Dangaard Brouer wrote: > Its seems Patrick missed to incoorporate some of my requested changes > during review v2 of SYNPROXY netfilter module. > > Which were, to avoid SYN+ACK packets to enter the path, meant for the > ACK packet from the client (from the 3WHS). > > Further there were a bug in ip6t_SYNPROXY.c, for matching SYN packets > that didn't exclude the ACK flag. > > Go a step further with SYN packet/flag matching by excluding flags > ACK+FIN+RST, in both IPv4 and IPv6 modules. > > > The intented usage of SYNPROXY is as follows: > (gracefully describing usage in commit) > > iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80 --syn -j NOTRACK > iptables -A INPUT -i eth0 -p tcp --dport 80 -m state UNTRACKED,INVALID \ > -j SYNPROXY --sack-perm --timestamp --mss 1480 --wscale 7 --ecn > > echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose > > This does filter SYN flags early, for packets in the UNTRACKED state, > but packets in the INVALID state with other TCP flags could still > reach the module, thus this stricter flag matching is still needed. > > Signed-off-by: Jesper Dangaard Brouer <brouer@xxxxxxxxxx> Acked-by: Patrick McHardy <kaber@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
