From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Fri, 31 Aug 2012 09:55:53 +0000 (+0000)
Subject: netfilter: Mark SYN/ACK packets as invalid from original direction
X-Git-Tag: v3.6-rc6~18^2~14^2~2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64f509ce71b08d037998e93dd51180c19b2f464c;p=pandora-kernel.git

netfilter: Mark SYN/ACK packets as invalid from original direction

Clients should not send such packets. By accepting them, we open
up a hole by wich ephemeral ports can be discovered in an off-path
attack.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

Reading git-diff-tree failed