diff options
| author | des <des@FreeBSD.org> | 1999-09-12 17:22:08 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 1999-09-12 17:22:08 +0000 |
| commit | 19e7731a48a4eb97e3756995fb2a8094f13594e6 (patch) | |
| tree | a641d4b8cc1397a0dd5e839b7ca64648e895a156 /sys/netinet | |
| parent | 4c16a85a3ff03636818f24c79ff2bc5947df9263 (diff) | |
| download | FreeBSD-src-19e7731a48a4eb97e3756995fb2a8094f13594e6.zip FreeBSD-src-19e7731a48a4eb97e3756995fb2a8094f13594e6.tar.gz | |
Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctl
variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel
options, respectively. See the comments in LINT for details.
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/tcp_input.c | 29 | ||||
| -rw-r--r-- | sys/netinet/tcp_reass.c | 29 |
2 files changed, 58 insertions, 0 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 53034ff..7fa0da2 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -36,6 +36,7 @@ #include "opt_ipfw.h" /* for ipfw_fwd */ #include "opt_tcpdebug.h" +#include "opt_tcp_input.h" #include <sys/param.h> #include <sys/systm.h> @@ -93,6 +94,18 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, &tcp_delack_enabled, 0, "Delay ACK to try and piggyback it onto a data packet"); +#ifdef TCP_RESTRICT_RST +static int restrict_rst = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, restrict_rst, CTLFLAG_RW, + &restrict_rst, 0, "Restrict RST emission"); +#endif + +#ifdef TCP_DROP_SYNFIN +static int drop_synfin = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW, + &drop_synfin, 0, "Drop TCP packets with FIN+ACK set"); +#endif + struct inpcbhead tcb; struct inpcbinfo tcbinfo; @@ -340,6 +353,18 @@ tcp_input(m, iphlen) } tiflags = ti->ti_flags; +#ifdef TCP_DROP_SYNFIN + /* + * If the drop_synfin option is enabled, drop all packets with + * both the SYN and FIN bits set. This prevents e.g. nmap from + * identifying the TCP/IP stack. + * + * This is incompatible with RFC1644 extensions (T/TCP). + */ + if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN)) + goto drop; +#endif + /* * Convert TCP protocol specific fields to host format. */ @@ -1849,6 +1874,10 @@ dropafterack: return; dropwithreset: +#ifdef TCP_RESTRICT_RST + if (restrict_rst) + goto drop; +#endif /* * Generate a RST, dropping incoming segment. * Make ACK acceptable to originator of segment. diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 53034ff..7fa0da2 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -36,6 +36,7 @@ #include "opt_ipfw.h" /* for ipfw_fwd */ #include "opt_tcpdebug.h" +#include "opt_tcp_input.h" #include <sys/param.h> #include <sys/systm.h> @@ -93,6 +94,18 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, &tcp_delack_enabled, 0, "Delay ACK to try and piggyback it onto a data packet"); +#ifdef TCP_RESTRICT_RST +static int restrict_rst = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, restrict_rst, CTLFLAG_RW, + &restrict_rst, 0, "Restrict RST emission"); +#endif + +#ifdef TCP_DROP_SYNFIN +static int drop_synfin = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW, + &drop_synfin, 0, "Drop TCP packets with FIN+ACK set"); +#endif + struct inpcbhead tcb; struct inpcbinfo tcbinfo; @@ -340,6 +353,18 @@ tcp_input(m, iphlen) } tiflags = ti->ti_flags; +#ifdef TCP_DROP_SYNFIN + /* + * If the drop_synfin option is enabled, drop all packets with + * both the SYN and FIN bits set. This prevents e.g. nmap from + * identifying the TCP/IP stack. + * + * This is incompatible with RFC1644 extensions (T/TCP). + */ + if (drop_synfin && (tiflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN)) + goto drop; +#endif + /* * Convert TCP protocol specific fields to host format. */ @@ -1849,6 +1874,10 @@ dropafterack: return; dropwithreset: +#ifdef TCP_RESTRICT_RST + if (restrict_rst) + goto drop; +#endif /* * Generate a RST, dropping incoming segment. * Make ACK acceptable to originator of segment. |
