netfilter: Mark SYN/ACK packets as invalid from original direction

Clients should not send such packets. By accepting them, we open
up a hole by wich ephemeral ports can be discovered in an off-path
attack.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/nf_conntrack_proto_tcp.c

@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
  *	sCL -> sSS
  */
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
-/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
+/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
 /*
  *	sNO -> sIV	Too late and no reason to do anything
  *	sSS -> sIV	Client can't send SYN and then SYN/ACK
  *	sS2 -> sSR	SYN/ACK sent to SYN2 in simultaneous open
- *	sSR -> sIG
+ *	sSR -> sSR	Late retransmitted SYN/ACK in simultaneous open
- *	sES -> sIG	Error: SYNs in window outside the SYN_SENT state
+ *	sES -> sIV	Invalid SYN/ACK packets sent by the client
- *			are errors. Receiver will reply with RST
+ *	sFW -> sIV
- *			and close the connection.
+ *	sCW -> sIV
- *			Or we are not in sync and hold a dead connection.
+ *	sLA -> sIV
- *	sFW -> sIG
+ *	sTW -> sIV
- *	sCW -> sIG
+ *	sCL -> sIV
- *	sLA -> sIG
- *	sTW -> sIG
- *	sCL -> sIG
  */
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
 /*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },