From 83e27dbadf6d54c9da1816d9e50aa2e0c77cfa3b Mon Sep 17 00:00:00 2001 From: csgr Date: Tue, 17 Aug 1999 12:17:53 +0000 Subject: Add net.inet.tcp.blackhole and net.inet.udp.blackhole sysctl knobs. With these knobs on, refused connection attempts are dropped without sending a RST, or Port unreachable in the UDP case. In the TCP case, sending of RST is inhibited iff the incoming segment was a SYN. Docs and rc.conf settings to follow. --- sys/netinet/tcp_input.c | 11 +++++++++-- sys/netinet/tcp_reass.c | 11 +++++++++-- sys/netinet/udp_usrreq.c | 9 +++++++-- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 0e3ffb8..1e86379 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95 - * $Id: tcp_input.c,v 1.86 1999/05/06 18:13:01 peter Exp $ + * $Id: tcp_input.c,v 1.87 1999/07/18 14:42:48 jmb Exp $ */ #include "opt_ipfw.h" /* for ipfw_fwd */ @@ -84,6 +84,10 @@ static int log_in_vain = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW, &log_in_vain, 0, "Log all incoming TCP connections"); +static int blackhole = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW, + &blackhole, 0, "Do not send RST when dropping refused connections"); + int tcp_delack_enabled = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, &tcp_delack_enabled, 0, @@ -404,7 +408,10 @@ findpcb: if (badport_bandlim(1) < 0) goto drop; #endif - goto dropwithreset; + if(blackhole && tiflags & TH_SYN) + goto drop; + else + goto dropwithreset; } tp = intotcpcb(inp); if (tp == 0) diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 0e3ffb8..1e86379 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_input.c 8.12 (Berkeley) 5/24/95 - * $Id: tcp_input.c,v 1.86 1999/05/06 18:13:01 peter Exp $ + * $Id: tcp_input.c,v 1.87 1999/07/18 14:42:48 jmb Exp $ */ #include "opt_ipfw.h" /* for ipfw_fwd */ @@ -84,6 +84,10 @@ static int log_in_vain = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW, &log_in_vain, 0, "Log all incoming TCP connections"); +static int blackhole = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW, + &blackhole, 0, "Do not send RST when dropping refused connections"); + int tcp_delack_enabled = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, &tcp_delack_enabled, 0, @@ -404,7 +408,10 @@ findpcb: if (badport_bandlim(1) < 0) goto drop; #endif - goto dropwithreset; + if(blackhole && tiflags & TH_SYN) + goto drop; + else + goto dropwithreset; } tp = intotcpcb(inp); if (tp == 0) diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 52da6ab..7076491 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)udp_usrreq.c 8.6 (Berkeley) 5/23/95 - * $Id: udp_usrreq.c,v 1.52 1999/06/19 18:43:33 green Exp $ + * $Id: udp_usrreq.c,v 1.53 1999/07/11 18:32:46 green Exp $ */ #include @@ -78,6 +78,10 @@ static int log_in_vain = 0; SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW, &log_in_vain, 0, "Log all incoming UDP packets"); +static int blackhole = 0; +SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_RW, + &blackhole, 0, "Do not send port unreachables for refused connects"); + static struct inpcbhead udb; /* from udp_var.h */ struct inpcbinfo udbinfo; @@ -302,7 +306,8 @@ udp_input(m, iphlen) if (badport_bandlim(0) < 0) goto bad; #endif - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0); + if(!blackhole) + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0); return; } -- cgit v1.1