• Patrick McHardy's avatar
    netfilter: add SYNPROXY core/target · 48b1de4c
    Patrick McHardy authored
    Add a SYNPROXY for netfilter. The code is split into two parts, the synproxy
    core with common functions and an address family specific target.
    
    The SYNPROXY receives the connection request from the client, responds with
    a SYN/ACK containing a SYN cookie and announcing a zero window and checks
    whether the final ACK from the client contains a valid cookie.
    
    It then establishes a connection to the original destination and, if
    successful, sends a window update to the client with the window size
    announced by the server.
    
    Support for timestamps, SACK, window scaling and MSS options can be
    statically configured as target parameters if the features of the server
    are known. If timestamps are used, the timestamp value sent back to
    the client in the SYN/ACK will be different from the real timestamp of
    the server. In order to now break PAWS, the timestamps are translated in
    the direction server->client.
    Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    Tested-by: default avatarMartin Topholm <mph@one.com>
    Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    48b1de4c
Makefile 6.64 KB