Add a sysctl (net.inet.tcp.insecure_rst) which allows one to specify

that the RFC 793 specification for accepting RST packets should be
following.  When followed, this makes one vulnerable to the attacks
described in "slipping in the window", but it may be necessary in
some odd circumstances.

sys/netinet/tcp_input.c

@@ -131,6 +131,11 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW,
     &tcp_do_rfc3390, 0,
     "Enable RFC 3390 (Increasing TCP's Initial Congestion Window)");
 
+static int tcp_insecure_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, insecure_rst, CTLFLAG_RW,
+    &tcp_insecure_rst, 0,
+    "Follow the old (insecure) criteria for accepting RST packets.");
+
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
 	    "TCP Segment Reassembly Queue");
 
@@ -1528,7 +1533,8 @@ tcp_input(m, off0)
 				goto close;
 
 			case TCPS_ESTABLISHED:
-				if (tp->last_ack_sent != th->th_seq) {
+				if (tp->last_ack_sent != th->th_seq &&
+			 	    tcp_insecure_rst == 0) {
 					tcpstat.tcps_badrst++;
 					goto drop;
 				}

sys/netinet/tcp_reass.c

@@ -131,6 +131,11 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, rfc3390, CTLFLAG_RW,
     &tcp_do_rfc3390, 0,
     "Enable RFC 3390 (Increasing TCP's Initial Congestion Window)");
 
+static int tcp_insecure_rst = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, insecure_rst, CTLFLAG_RW,
+    &tcp_insecure_rst, 0,
+    "Follow the old (insecure) criteria for accepting RST packets.");
+
 SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
 	    "TCP Segment Reassembly Queue");
 
@@ -1528,7 +1533,8 @@ tcp_input(m, off0)
 				goto close;
 
 			case TCPS_ESTABLISHED:
-				if (tp->last_ack_sent != th->th_seq) {
+				if (tp->last_ack_sent != th->th_seq &&
+			 	    tcp_insecure_rst == 0) {
 					tcpstat.tcps_badrst++;
 					goto drop;
 				}