From c0359d6dfbba1124c5b2da60bc56947e7f21769a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 8 Jul 2013 15:17:56 +0200
Subject: [PATCH] iptables: Only jump into BADTCP for TCP packets.

This saves us from evaluating lots of rules for non-TCP
packets.
---
 src/initscripts/init.d/firewall | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 851f3ec6d..000d3252d 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -70,13 +70,13 @@ iptables_init() {
 	# NEW TCP without SYN
 	/sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
 
+	/sbin/iptables -A INPUT   -p tcp -j BADTCP
+	/sbin/iptables -A FORWARD -p tcp -j BADTCP
+
 	# Connection tracking chain
 	/sbin/iptables -N CONNTRACK
 	/sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-	/sbin/iptables -A INPUT   -j BADTCP
-	/sbin/iptables -A FORWARD -j BADTCP
-
 	# Fix for braindead ISP's
 	/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
-- 
2.39.2