Add net.inet.tcp.blackhole and net.inet.udp.blackhole

sysctl knobs.

With these knobs on, refused connection attempts are dropped
without sending a RST, or Port unreachable in the UDP case.
In the TCP case, sending of RST is inhibited iff the incoming
segment was a SYN.

Docs and rc.conf settings to follow.

3 files changed, 25 insertions, 6 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 0e3ffb8..1e86379 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)tcp_input.c	8.12 (Berkeley) 5/24/95
- *	$Id: tcp_input.c,v 1.86 1999/05/06 18:13:01 peter Exp $
+ *	$Id: tcp_input.c,v 1.87 1999/07/18 14:42:48 jmb Exp $
  */
 
 #include "opt_ipfw.h"		/* for ipfw_fwd		*/
@@ -84,6 +84,10 @@ static int log_in_vain = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW, 
     &log_in_vain, 0, "Log all incoming TCP connections");
 
+static int blackhole = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
+	&blackhole, 0, "Do not send RST when dropping refused connections");
+
 int tcp_delack_enabled = 1;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, 
     &tcp_delack_enabled, 0, 
@@ -404,7 +408,10 @@ findpcb:
 		if (badport_bandlim(1) < 0)
 			goto drop;
 #endif
-		goto dropwithreset;
+		if(blackhole && tiflags & TH_SYN)
+			goto drop;
+		else
+			goto dropwithreset;
 	}
 	tp = intotcpcb(inp);
 	if (tp == 0)
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 0e3ffb8..1e86379 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)tcp_input.c	8.12 (Berkeley) 5/24/95
- *	$Id: tcp_input.c,v 1.86 1999/05/06 18:13:01 peter Exp $
+ *	$Id: tcp_input.c,v 1.87 1999/07/18 14:42:48 jmb Exp $
  */
 
 #include "opt_ipfw.h"		/* for ipfw_fwd		*/
@@ -84,6 +84,10 @@ static int log_in_vain = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW, 
     &log_in_vain, 0, "Log all incoming TCP connections");
 
+static int blackhole = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
+	&blackhole, 0, "Do not send RST when dropping refused connections");
+
 int tcp_delack_enabled = 1;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, 
     &tcp_delack_enabled, 0, 
@@ -404,7 +408,10 @@ findpcb:
 		if (badport_bandlim(1) < 0)
 			goto drop;
 #endif
-		goto dropwithreset;
+		if(blackhole && tiflags & TH_SYN)
+			goto drop;
+		else
+			goto dropwithreset;
 	}
 	tp = intotcpcb(inp);
 	if (tp == 0)
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 52da6ab..7076491 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)udp_usrreq.c	8.6 (Berkeley) 5/23/95
- *	$Id: udp_usrreq.c,v 1.52 1999/06/19 18:43:33 green Exp $
+ *	$Id: udp_usrreq.c,v 1.53 1999/07/11 18:32:46 green Exp $
  */
 
 #include <sys/param.h>
@@ -78,6 +78,10 @@ static int log_in_vain = 0;
 SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW, 
     &log_in_vain, 0, "Log all incoming UDP packets");
 
+static int blackhole = 0;
+SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_RW,
+	&blackhole, 0, "Do not send port unreachables for refused connects");
+
 static struct	inpcbhead udb;		/* from udp_var.h */
 struct inpcbinfo udbinfo;
 
@@ -302,7 +306,8 @@ udp_input(m, iphlen)
 		if (badport_bandlim(0) < 0)
 			goto bad;
 #endif
-		icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
+		if(!blackhole)
+			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
 		return;
 	}