netfilter: nf_tables: Add synproxy support

Add synproxy support for nf_tables. This behaves like the iptables synproxy target but it is structured in a way that allows us to propose improvements in the future. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Fernando Fernandez Mancera <ffmancera@riseup.net> 2019-06-26 12:59:19 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-07-05 21:34:23 +0200
commit: ad49d86e07a497e834cb06f2b151dccd75f8e148 (patch)
tree: 0321bfbb28d45223dfab095050b832bbf4a6a410 /net/netfilter/Kconfig
parent: 6f7b841bc939e7c811ad32427b58d54edbcfa6ed (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 21025c2c605b..d59742408d9b 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -651,6 +651,17 @@ config NFT_TPROXY
 	help
 	  This makes transparent proxy support available in nftables.
 
+config NFT_SYNPROXY
+	tristate "Netfilter nf_tables SYNPROXY expression support"
+	depends on NF_CONNTRACK && NETFILTER_ADVANCED
+	select NETFILTER_SYNPROXY
+	select SYN_COOKIES
+	help
+	  The SYNPROXY expression allows you to intercept TCP connections and
+	  establish them using syncookies before they are passed on to the
+	  server. This allows to avoid conntrack and server resource usage
+	  during SYN-flood attacks.
+
 if NF_TABLES_NETDEV
 
 config NF_DUP_NETDEV
author	Fernando Fernandez Mancera <ffmancera@riseup.net>	2019-06-26 12:59:19 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-07-05 21:34:23 +0200
commit	ad49d86e07a497e834cb06f2b151dccd75f8e148 (patch)
tree	0321bfbb28d45223dfab095050b832bbf4a6a410 /net/netfilter/Kconfig
parent	6f7b841bc939e7c811ad32427b58d54edbcfa6ed (diff)