49f817d793
In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but
the real server maybe reply an icmp error packet related to the exist
tcp conntrack, so we will access wrong tcp data.
Fix it by checking for the protocol field and only process tcp traffic.
Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| ip6_tables.c | ||
| ip6t_MASQUERADE.c | ||
| ip6t_NPT.c | ||
| ip6t_REJECT.c | ||
| ip6t_SYNPROXY.c | ||
| ip6t_ah.c | ||
| ip6t_eui64.c | ||
| ip6t_frag.c | ||
| ip6t_hbh.c | ||
| ip6t_ipv6header.c | ||
| ip6t_mh.c | ||
| ip6t_rpfilter.c | ||
| ip6t_rt.c | ||
| ip6table_filter.c | ||
| ip6table_mangle.c | ||
| ip6table_nat.c | ||
| ip6table_raw.c | ||
| ip6table_security.c | ||
| nf_conntrack_l3proto_ipv6.c | ||
| nf_conntrack_proto_icmpv6.c | ||
| nf_conntrack_reasm.c | ||
| nf_defrag_ipv6_hooks.c | ||
| nf_dup_ipv6.c | ||
| nf_log_ipv6.c | ||
| nf_nat_l3proto_ipv6.c | ||
| nf_nat_masquerade_ipv6.c | ||
| nf_nat_proto_icmpv6.c | ||
| nf_reject_ipv6.c | ||
| nf_socket_ipv6.c | ||
| nf_tables_ipv6.c | ||
| nft_chain_nat_ipv6.c | ||
| nft_chain_route_ipv6.c | ||
| nft_dup_ipv6.c | ||
| nft_fib_ipv6.c | ||
| nft_masq_ipv6.c | ||
| nft_redir_ipv6.c | ||
| nft_reject_ipv6.c | ||