Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctl

variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel
options, respectively. See the comments in LINT for details.

8 files changed, 73 insertions, 0 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 9bc1a75..b62f6f9 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -49,6 +49,9 @@ natd_flags=""                   # Additional flags for natd.
 tcp_extensions="NO"		# Set to YES to turn on RFC1323 extensions.
 log_in_vain="NO"		# YES to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
+tcp_restrict_rst="NO"		# Set to YES to restrict emission of RST
+tcp_drop_synfin="NO"		# Set to YES to drop TCP packets with SYN+FIN
+				# NOTE: this breaks rfc1644 extensions (T/TCP)
 icmp_drop_redirect="NO"		# Set to YES to ignore ICMP REDIRECT packets
 icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
diff --git a/etc/network.subr b/etc/network.subr
index d132525..781c73f 100644
--- a/etc/network.subr
+++ b/etc/network.subr
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions
index d132525..781c73f 100644
--- a/etc/rc.d/netoptions
+++ b/etc/rc.d/netoptions
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/network1 b/etc/rc.d/network1
index d132525..781c73f 100644
--- a/etc/rc.d/network1
+++ b/etc/rc.d/network1
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/network2 b/etc/rc.d/network2
index d132525..781c73f 100644
--- a/etc/rc.d/network2
+++ b/etc/rc.d/network2
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/network3 b/etc/rc.d/network3
index d132525..781c73f 100644
--- a/etc/rc.d/network3
+++ b/etc/rc.d/network3
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.d/routing b/etc/rc.d/routing
index d132525..781c73f 100644
--- a/etc/rc.d/routing
+++ b/etc/rc.d/routing
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
diff --git a/etc/rc.network b/etc/rc.network
index d132525..781c73f 100644
--- a/etc/rc.network
+++ b/etc/rc.network
@@ -229,6 +229,16 @@ network_pass1() {
 	    sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
     fi
 
+    if [ "X$tcp_restrict_rst" = X"YES" ]; then
+	    echo -n ' restrict TCP reset=YES'
+	    sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
+    fi
+
+    if [ "X$tcp_drop_synfin" = X"YES" ]; then
+	    echo -n ' drop SYN+FIN packets=YES'
+	    sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
+    fi
+
     if [ "${ipxgateway_enable}" = "YES" ]; then
 	    echo -n ' IPX gateway=YES'
 	    sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null