netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking - wireguard-linux

diff options

author	Gao Feng <fgao@ikuai8.com>	2017-04-20 14:01:45 +0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-04-26 09:30:22 +0200
commit	495dcb56d09ddb63afe30e799af41876c3f061cc (patch)
tree	a1f3b7af426436ea25763e5c8f5fe58d29c63263 /tools/perf/scripts/python/export-to-postgresql.py
parent	ebtables: remove nf_hook_register usage (diff)
download	wireguard-linux-495dcb56d09ddb63afe30e799af41876c3f061cc.tar.xz wireguard-linux-495dcb56d09ddb63afe30e799af41876c3f061cc.zip

netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

Current SYNPROXY codes return NF_DROP during normal TCP handshaking, it is not friendly to caller. Because the nf_hook_slow would treat the NF_DROP as an error, and return -EPERM. As a result, it may cause the top caller think it meets one error. For example, the following codes are from cfv_rx_poll() err = netif_receive_skb(skb); if (unlikely(err)) { ++cfv->ndev->stats.rx_dropped; } else { ++cfv->ndev->stats.rx_packets; cfv->ndev->stats.rx_bytes += skb_len; } When SYNPROXY returns NF_DROP, then netif_receive_skb returns -EPERM. As a result, the cfv driver would treat it as an error, and increase the rx_dropped counter. So use NF_STOLEN instead of NF_DROP now because there is no error happened indeed, and free the skb directly. Signed-off-by: Gao Feng <fgao@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'tools/perf/scripts/python/export-to-postgresql.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: