From 24ba465b8a6793588d116297a017aefbf6f339d3 Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Date: Sun, 25 Apr 2021 18:40:52 +0100
Subject: firewall3: remove redundant syn check

syn_flood chain entry is guarded by '--syn' checks in the calling chains, so the
syn_flood chain doesn't need to check packet flags, it only needs to count and
potentially drop.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
 defaults.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/defaults.c b/defaults.c
index 7ad4fba..8a9a929 100644
--- a/defaults.c
+++ b/defaults.c
@@ -278,8 +278,7 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 
 		if (defs->syn_flood)
 		{
-			r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
-			fw3_ipt_rule_extra(r, "--syn");
+			r = fw3_ipt_rule_create(handle, NULL, NULL, NULL, NULL, NULL);
 			fw3_ipt_rule_limit(r, &defs->syn_flood_rate);
 			fw3_ipt_rule_target(r, "RETURN");
 			fw3_ipt_rule_append(r, "syn_flood");
-- 
cgit v1.2.1