diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 535969383547..8e2c4471654b 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -875,12 +875,6 @@ options MBUF_STRESS_TEST options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP -# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This -# prevents nmap et al. from identifying the TCP/IP stack, but breaks support -# for RFC1644 extensions and is not recommended for web servers. -# -options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN - # TCP_SIGNATURE adds support for RFC 2385 (TCP-MD5) digests. These are # carried in TCP option 19. This option is commonly used to protect # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable. diff --git a/sys/conf/options b/sys/conf/options index 0a46bb3fc13f..63de06140ddc 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -389,7 +389,6 @@ SLIP_IFF_OPTS opt_slip.h TCPDEBUG TCP_SIGNATURE opt_inet.h TCP_SACK_DEBUG opt_tcp_sack.h -TCP_DROP_SYNFIN opt_tcp_input.h DEV_VLAN opt_vlan.h VLAN_ARRAY opt_vlan.h XBONEHACK diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index b94427285bbe..91f730836af2 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -36,7 +36,6 @@ #include "opt_ipsec.h" #include "opt_mac.h" #include "opt_tcpdebug.h" -#include "opt_tcp_input.h" #include "opt_tcp_sack.h" #include @@ -118,11 +117,9 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, &tcp_delack_enabled, 0, "Delay ACK to try and piggyback it onto a data packet"); -#ifdef TCP_DROP_SYNFIN static int drop_synfin = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW, &drop_synfin, 0, "Drop TCP packets with SYN+FIN set"); -#endif static int tcp_do_rfc3042 = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW, @@ -601,7 +598,6 @@ tcp_input(m, off0) } thflags = th->th_flags; -#ifdef TCP_DROP_SYNFIN /* * If the drop_synfin option is enabled, drop all packets with * both the SYN and FIN bits set. This prevents e.g. nmap from @@ -611,7 +607,6 @@ tcp_input(m, off0) */ if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN)) goto drop; -#endif /* * Convert TCP protocol specific fields to host format. diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index b94427285bbe..91f730836af2 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -36,7 +36,6 @@ #include "opt_ipsec.h" #include "opt_mac.h" #include "opt_tcpdebug.h" -#include "opt_tcp_input.h" #include "opt_tcp_sack.h" #include @@ -118,11 +117,9 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW, &tcp_delack_enabled, 0, "Delay ACK to try and piggyback it onto a data packet"); -#ifdef TCP_DROP_SYNFIN static int drop_synfin = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW, &drop_synfin, 0, "Drop TCP packets with SYN+FIN set"); -#endif static int tcp_do_rfc3042 = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3042, CTLFLAG_RW, @@ -601,7 +598,6 @@ tcp_input(m, off0) } thflags = th->th_flags; -#ifdef TCP_DROP_SYNFIN /* * If the drop_synfin option is enabled, drop all packets with * both the SYN and FIN bits set. This prevents e.g. nmap from @@ -611,7 +607,6 @@ tcp_input(m, off0) */ if (drop_synfin && (thflags & (TH_SYN|TH_FIN)) == (TH_SYN|TH_FIN)) goto drop; -#endif /* * Convert TCP protocol specific fields to host format. diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c index bdec4a0af234..f6e85262f3c0 100644 --- a/sys/netinet/tcp_sack.c +++ b/sys/netinet/tcp_sack.c @@ -99,7 +99,6 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_tcpdebug.h" -#include "opt_tcp_input.h" #include "opt_tcp_sack.h" #include