Make TCP_DROP_SYNFIN a standard part of TCP. Disabled by default it

doesn't impede normal operation negatively and is only a few lines of
code.  It's close relatives blackhole and log_in_vain aren't options
either.

sys/conf/NOTES

@@ -875,12 +875,6 @@ options 	MBUF_STRESS_TEST
 options 	ACCEPT_FILTER_DATA
 options 	ACCEPT_FILTER_HTTP
 
-# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
-# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
-# for RFC1644 extensions and is not recommended for web servers.
-#
-options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
-
 # TCP_SIGNATURE adds support for RFC 2385 (TCP-MD5) digests. These are
 # carried in TCP option 19. This option is commonly used to protect
 # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.

sys/conf/options

@@ -389,7 +389,6 @@ SLIP_IFF_OPTS		opt_slip.h
 TCPDEBUG
 TCP_SIGNATURE		opt_inet.h
 TCP_SACK_DEBUG		opt_tcp_sack.h 
-TCP_DROP_SYNFIN		opt_tcp_input.h
 DEV_VLAN		opt_vlan.h
 VLAN_ARRAY		opt_vlan.h
 XBONEHACK

sys/netinet/tcp_input.c

@@ -36,7 +36,6 @@
 #include "opt_ipsec.h"
 #include "opt_mac.h"
 #include "opt_tcpdebug.h"
-#include "opt_tcp_input.h"
 #include "opt_tcp_sack.h"
 
 #include <sys/param.h>
@@ -118,11 +117,9 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
     &tcp_delack_enabled, 0,
     "Delay ACK to try and piggyback it onto a data packet");
 
-#ifdef TCP_DROP_SYNFIN
 static int drop_synfin = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
     &drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
-#endif
 
 static int tcp_do_rfc3042 = 1;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW,
@@ -601,7 +598,6 @@ tcp_input(m, off0)
 	}
 	thflags = th->th_flags;
 
-#ifdef TCP_DROP_SYNFIN
 	/*
 	 * If the drop_synfin option is enabled, drop all packets with
 	 * both the SYN and FIN bits set. This prevents e.g. nmap from
@@ -611,7 +607,6 @@ tcp_input(m, off0)
 	 */
 	if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
 		goto drop;
-#endif
 
 	/*
 	 * Convert TCP protocol specific fields to host format.

sys/netinet/tcp_reass.c

@@ -36,7 +36,6 @@
 #include "opt_ipsec.h"
 #include "opt_mac.h"
 #include "opt_tcpdebug.h"
-#include "opt_tcp_input.h"
 #include "opt_tcp_sack.h"
 
 #include <sys/param.h>
@@ -118,11 +117,9 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
     &tcp_delack_enabled, 0,
     "Delay ACK to try and piggyback it onto a data packet");
 
-#ifdef TCP_DROP_SYNFIN
 static int drop_synfin = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
     &drop_synfin, 0, "Drop TCP packets with SYN+FIN set");
-#endif
 
 static int tcp_do_rfc3042 = 1;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW,
@@ -601,7 +598,6 @@ tcp_input(m, off0)
 	}
 	thflags = th->th_flags;
 
-#ifdef TCP_DROP_SYNFIN
 	/*
 	 * If the drop_synfin option is enabled, drop all packets with
 	 * both the SYN and FIN bits set. This prevents e.g. nmap from
@@ -611,7 +607,6 @@ tcp_input(m, off0)
 	 */
 	if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN))
 		goto drop;
-#endif
 
 	/*
 	 * Convert TCP protocol specific fields to host format.

sys/netinet/tcp_sack.c

@@ -99,7 +99,6 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_tcpdebug.h"
-#include "opt_tcp_input.h"
 #include "opt_tcp_sack.h"
 
 #include <sys/param.h>