mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-18 14:23:55 +00:00
Make TCP_DROP_SYNFIN a standard part of TCP. Disabled by default it
doesn't impede normal operation negatively and is only a few lines of code. It's close relatives blackhole and log_in_vain aren't options either.
This commit is contained in:
parent
703c934a48
commit
85c497918c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=167774
|
@ -875,12 +875,6 @@ options MBUF_STRESS_TEST
|
||||||
options ACCEPT_FILTER_DATA
|
options ACCEPT_FILTER_DATA
|
||||||
options ACCEPT_FILTER_HTTP
|
options ACCEPT_FILTER_HTTP
|
||||||
|
|
||||||
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
|
|
||||||
# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
|
|
||||||
# for RFC1644 extensions and is not recommended for web servers.
|
|
||||||
#
|
|
||||||
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
|
|
||||||
|
|
||||||
# TCP_SIGNATURE adds support for RFC 2385 (TCP-MD5) digests. These are
|
# TCP_SIGNATURE adds support for RFC 2385 (TCP-MD5) digests. These are
|
||||||
# carried in TCP option 19. This option is commonly used to protect
|
# carried in TCP option 19. This option is commonly used to protect
|
||||||
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
|
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
|
||||||
|
|
|
@ -389,7 +389,6 @@ SLIP_IFF_OPTS opt_slip.h
|
||||||
TCPDEBUG
|
TCPDEBUG
|
||||||
TCP_SIGNATURE opt_inet.h
|
TCP_SIGNATURE opt_inet.h
|
||||||
TCP_SACK_DEBUG opt_tcp_sack.h
|
TCP_SACK_DEBUG opt_tcp_sack.h
|
||||||
TCP_DROP_SYNFIN opt_tcp_input.h
|
|
||||||
DEV_VLAN opt_vlan.h
|
DEV_VLAN opt_vlan.h
|
||||||
VLAN_ARRAY opt_vlan.h
|
VLAN_ARRAY opt_vlan.h
|
||||||
XBONEHACK
|
XBONEHACK
|
||||||
|
|
|
@ -36,7 +36,6 @@
|
||||||
#include "opt_ipsec.h"
|
#include "opt_ipsec.h"
|
||||||
#include "opt_mac.h"
|
#include "opt_mac.h"
|
||||||
#include "opt_tcpdebug.h"
|
#include "opt_tcpdebug.h"
|
||||||
#include "opt_tcp_input.h"
|
|
||||||
#include "opt_tcp_sack.h"
|
#include "opt_tcp_sack.h"
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
@ -118,11 +117,9 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
|
||||||
&tcp_delack_enabled, 0,
|
&tcp_delack_enabled, 0,
|
||||||
"Delay ACK to try and piggyback it onto a data packet");
|
"Delay ACK to try and piggyback it onto a data packet");
|
||||||
|
|
||||||
#ifdef TCP_DROP_SYNFIN
|
|
||||||
static int drop_synfin = 0;
|
static int drop_synfin = 0;
|
||||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
|
||||||
&drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
|
&drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
|
||||||
#endif
|
|
||||||
|
|
||||||
static int tcp_do_rfc3042 = 1;
|
static int tcp_do_rfc3042 = 1;
|
||||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW,
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW,
|
||||||
|
@ -601,7 +598,6 @@ tcp_input(m, off0)
|
||||||
}
|
}
|
||||||
thflags = th->th_flags;
|
thflags = th->th_flags;
|
||||||
|
|
||||||
#ifdef TCP_DROP_SYNFIN
|
|
||||||
/*
|
/*
|
||||||
* If the drop_synfin option is enabled, drop all packets with
|
* If the drop_synfin option is enabled, drop all packets with
|
||||||
* both the SYN and FIN bits set. This prevents e.g. nmap from
|
* both the SYN and FIN bits set. This prevents e.g. nmap from
|
||||||
|
@ -611,7 +607,6 @@ tcp_input(m, off0)
|
||||||
*/
|
*/
|
||||||
if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
|
if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
|
||||||
goto drop;
|
goto drop;
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Convert TCP protocol specific fields to host format.
|
* Convert TCP protocol specific fields to host format.
|
||||||
|
|
|
@ -36,7 +36,6 @@
|
||||||
#include "opt_ipsec.h"
|
#include "opt_ipsec.h"
|
||||||
#include "opt_mac.h"
|
#include "opt_mac.h"
|
||||||
#include "opt_tcpdebug.h"
|
#include "opt_tcpdebug.h"
|
||||||
#include "opt_tcp_input.h"
|
|
||||||
#include "opt_tcp_sack.h"
|
#include "opt_tcp_sack.h"
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
@ -118,11 +117,9 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
|
||||||
&tcp_delack_enabled, 0,
|
&tcp_delack_enabled, 0,
|
||||||
"Delay ACK to try and piggyback it onto a data packet");
|
"Delay ACK to try and piggyback it onto a data packet");
|
||||||
|
|
||||||
#ifdef TCP_DROP_SYNFIN
|
|
||||||
static int drop_synfin = 0;
|
static int drop_synfin = 0;
|
||||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
|
||||||
&drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
|
&drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
|
||||||
#endif
|
|
||||||
|
|
||||||
static int tcp_do_rfc3042 = 1;
|
static int tcp_do_rfc3042 = 1;
|
||||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW,
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW,
|
||||||
|
@ -601,7 +598,6 @@ tcp_input(m, off0)
|
||||||
}
|
}
|
||||||
thflags = th->th_flags;
|
thflags = th->th_flags;
|
||||||
|
|
||||||
#ifdef TCP_DROP_SYNFIN
|
|
||||||
/*
|
/*
|
||||||
* If the drop_synfin option is enabled, drop all packets with
|
* If the drop_synfin option is enabled, drop all packets with
|
||||||
* both the SYN and FIN bits set. This prevents e.g. nmap from
|
* both the SYN and FIN bits set. This prevents e.g. nmap from
|
||||||
|
@ -611,7 +607,6 @@ tcp_input(m, off0)
|
||||||
*/
|
*/
|
||||||
if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
|
if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
|
||||||
goto drop;
|
goto drop;
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Convert TCP protocol specific fields to host format.
|
* Convert TCP protocol specific fields to host format.
|
||||||
|
|
|
@ -99,7 +99,6 @@
|
||||||
#include "opt_inet.h"
|
#include "opt_inet.h"
|
||||||
#include "opt_inet6.h"
|
#include "opt_inet6.h"
|
||||||
#include "opt_tcpdebug.h"
|
#include "opt_tcpdebug.h"
|
||||||
#include "opt_tcp_input.h"
|
|
||||||
#include "opt_tcp_sack.h"
|
#include "opt_tcp_sack.h"
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
|
Loading…
Reference in a new issue