Browse Source

firewall3: remove redundant syn check

syn_flood chain entry is guarded by '--syn' checks in the calling chains, so the
syn_flood chain doesn't need to check packet flags, it only needs to count and
potentially drop.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant 2 years ago
parent
commit
24ba465b8a
1 changed files with 1 additions and 2 deletions
  1. 1 2
      defaults.c

+ 1 - 2
defaults.c

@@ -278,8 +278,7 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 
 		if (defs->syn_flood)
 		{
-			r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
-			fw3_ipt_rule_extra(r, "--syn");
+			r = fw3_ipt_rule_create(handle, NULL, NULL, NULL, NULL, NULL);
 			fw3_ipt_rule_limit(r, &defs->syn_flood_rate);
 			fw3_ipt_rule_target(r, "RETURN");
 			fw3_ipt_rule_append(r, "syn_flood");