netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

[karo-tx-linux.git] / net / ipv4 / netfilter / ipt_SYNPROXY.c

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index c308ee0ee0bcf7b5e96aa80df69ac6066bc0ee60..af2b69b6895f5ae8e326b27e05efa01cc1405e1b 100644 (file)
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -293,12 +293,16 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
                                          XT_SYNPROXY_OPT_ECN);
 
                synproxy_send_client_synack(net, skb, th, &opts);
-               return NF_DROP;
-
+               consume_skb(skb);
+               return NF_STOLEN;
        } else if (th->ack && !(th->fin || th->rst || th->syn)) {
                /* ACK from client */
-               synproxy_recv_client_ack(net, skb, th, &opts, ntohl(th->seq));
-               return NF_DROP;
+               if (synproxy_recv_client_ack(net, skb, th, &opts, ntohl(th->seq))) {
+                       consume_skb(skb);
+                       return NF_STOLEN;
+               } else {
+                       return NF_DROP;
+               }
        }
 
        return XT_CONTINUE;
@@ -367,10 +371,13 @@ static unsigned int ipv4_synproxy_hook(void *priv,
                         * number match the one of first SYN.
                         */
                        if (synproxy_recv_client_ack(net, skb, th, &opts,
-                                                    ntohl(th->seq) + 1))
+                                                    ntohl(th->seq) + 1)) {
                                this_cpu_inc(snet->stats->cookie_retrans);
-
-                       return NF_DROP;
+                               consume_skb(skb);
+                               return NF_STOLEN;
+                       } else {
+                               return NF_DROP;
+                       }
                }
 
                synproxy->isn = ntohl(th->ack_seq);