netfilter: SYNPROXY: let unrelated packets continue

[mirror_ubuntu-artful-kernel.git] / net / ipv4 / netfilter / ipt_SYNPROXY.c

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 90e489eb1c0a346cfe0c5c15cf52900f908f0a2f..67e17dcda65e64f27b9ca5b244561ab2d7fc594f 100644 (file)
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -285,11 +285,15 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
                                          XT_SYNPROXY_OPT_ECN);
 
                synproxy_send_client_synack(skb, th, &opts);
-       } else if (th->ack && !(th->fin || th->rst || th->syn))
+               return NF_DROP;
+
+       } else if (th->ack && !(th->fin || th->rst || th->syn)) {
                /* ACK from client */
                synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
+               return NF_DROP;
+       }
 
-       return NF_DROP;
+       return XT_CONTINUE;
 }
 
 static unsigned int ipv4_synproxy_hook(unsigned int hooknum,