Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few

very specific scenarios, and now that we have had net.inet.tcp.blackhole for quite some time there is really no reason to use it any more. (second of three commits)
svn path=/head/; revision=74493
2001-03-19 22:07:32 +00:00 · 2001-03-19 22:07:32 +00:00 · cc084f7587 · 2020-12-20 02:59:44 +00:00
commit cc084f7587
parent 11b876c98e
9 changed files with 0 additions and 58 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -79,7 +79,6 @@ tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
 # TCP_RESTRICT_RST set in your kernel. Please refer to LINT for details.
 tcp_drop_synfin="NO"		# Set to YES to drop TCP packets with SYN+FIN
 				# NOTE: this violates the TCP specification
-tcp_restrict_rst="NO"		# Set to YES to restrict emission of RST
 icmp_drop_redirect="NO"		# Set to YES to ignore ICMP REDIRECT packets
 icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
--- a/etc/network.subr
+++ b/etc/network.subr
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/netoptions
+++ b/etc/rc.d/netoptions
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/network1
+++ b/etc/rc.d/network1
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/network2
+++ b/etc/rc.d/network2
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/network3
+++ b/etc/rc.d/network3
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/routing
+++ b/etc/rc.d/routing
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.network
+++ b/etc/rc.network
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -470,14 +470,6 @@ This prevents OS fingerprinting, but may
 break some legitimate applications.
 This option is only available if the
 kernel was built with the TCP_DROP_SYNFIN option.
-.It Ar tcp_restrict_rst
-(bool) Set to
-.Ar NO
-by default.
-Setting to YES will cause the kernel to refrain from emitting TCP RST frames
-in response to invalid TCP packets (e.g. frames destined for closed ports).
-This option is only available if the kernel was built with the
-TCP_RESTRICT_RST option.
 .It Ar icmp_drop_redirect
 (bool) Set to
 .Ar NO