diff options
| author | Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | 2021-04-25 18:40:52 +0100 |
|---|---|---|
| committer | Rui Salvaterra <rsalvaterra@gmail.com> | 2022-01-08 11:33:58 +0000 |
| commit | 24ba465b8a6793588d116297a017aefbf6f339d3 (patch) | |
| tree | 1a7262b610e55e8767feef04d37f3f7735749769 | |
| parent | df1306a96127e91ff2d513a0a67345baaf61d113 (diff) | |
| download | firewall3-24ba465b8a6793588d116297a017aefbf6f339d3.tar.gz | |
firewall3: remove redundant syn check
syn_flood chain entry is guarded by '--syn' checks in the calling chains, so the
syn_flood chain doesn't need to check packet flags, it only needs to count and
potentially drop.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
| -rw-r--r-- | defaults.c | 3 |
1 files changed, 1 insertions, 2 deletions
@@ -278,8 +278,7 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, if (defs->syn_flood) { - r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); - fw3_ipt_rule_extra(r, "--syn"); + r = fw3_ipt_rule_create(handle, NULL, NULL, NULL, NULL, NULL); fw3_ipt_rule_limit(r, &defs->syn_flood_rate); fw3_ipt_rule_target(r, "RETURN"); fw3_ipt_rule_append(r, "syn_flood"); |