netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

[mirror_ubuntu-artful-kernel.git] / net / ipv6 / netfilter / ip6t_SYNPROXY.c

diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 1252537f215ff5e670acb6bab3d7b756a6a1d980..d3c4daa708b9014378f5cdec4b0cc811f9999d92 100644 (file)
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -307,12 +307,17 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
                                          XT_SYNPROXY_OPT_ECN);
 
                synproxy_send_client_synack(net, skb, th, &opts);
-               return NF_DROP;
+               consume_skb(skb);
+               return NF_STOLEN;
 
        } else if (th->ack && !(th->fin || th->rst || th->syn)) {
                /* ACK from client */
-               synproxy_recv_client_ack(net, skb, th, &opts, ntohl(th->seq));
-               return NF_DROP;
+               if (synproxy_recv_client_ack(net, skb, th, &opts, ntohl(th->seq))) {
+                       consume_skb(skb);
+                       return NF_STOLEN;
+               } else {
+                       return NF_DROP;
+               }
        }
 
        return XT_CONTINUE;
@@ -388,10 +393,13 @@ static unsigned int ipv6_synproxy_hook(void *priv,
                         * number match the one of first SYN.
                         */
                        if (synproxy_recv_client_ack(net, skb, th, &opts,
-                                                    ntohl(th->seq) + 1))
+                                                    ntohl(th->seq) + 1)) {
                                this_cpu_inc(snet->stats->cookie_retrans);
-
-                       return NF_DROP;
+                               consume_skb(skb);
+                               return NF_STOLEN;
+                       } else {
+                               return NF_DROP;
+                       }
                }
 
                synproxy->isn = ntohl(th->ack_seq);