firewall3: remove redundant syn check

syn_flood chain entry is guarded by '--syn' checks in the calling chains, so the
syn_flood chain doesn't need to check packet flags, it only needs to count and
potentially drop.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

diff --git a/defaults.c b/defaults.c
index 7ad4fbae8439177f9b04f637ff9fa8c22f70e635..8a9a9295f00500ca7ba655de111acc643d41b214 100644 (file)
--- a/defaults.c
+++ b/defaults.c
@@ -278,8 +278,7 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 
                if (defs->syn_flood)
                {
-                       r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
-                       fw3_ipt_rule_extra(r, "--syn");
+                       r = fw3_ipt_rule_create(handle, NULL, NULL, NULL, NULL, NULL);
                        fw3_ipt_rule_limit(r, &defs->syn_flood_rate);
                        fw3_ipt_rule_target(r, "RETURN");
                        fw3_ipt_rule_append(r, "syn_flood");