From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Fri, 31 Aug 2012 09:55:53 +0000 (+0000)
Subject: netfilter: Mark SYN/ACK packets as invalid from original direction
X-Git-Tag: v3.2.35~69
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5ce3e0d724f18d39ca996164baef3011ff3c409;p=pandora-kernel.git

netfilter: Mark SYN/ACK packets as invalid from original direction

commit 64f509ce71b08d037998e93dd51180c19b2f464c upstream.

Clients should not send such packets. By accepting them, we open
up a hole by wich ephemeral ports can be discovered in an off-path
attack.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

Reading git-diff-tree failed