Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Tue, Mar 20, 2018 at 12:43:33PM +0100, Florian Westphal wrote: > > I don't understand why push,ack is invalid in first place. > > If we do not have a valid connection at this point then a pure > > ack would have same effect (reset), no? > > Under normal circunstances yes, but anyone could cycle and forged > PSH,ACK packets to the synproxy that are invalid, right? That would > open up for a DOS against SYNPROXY itself... No, because synproxy validates the ack sequence number with syncookie hash. The ack is dropped if the recomputed cookie doesn't match. So this patch isn't needed fortunately. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
