From 097a9d6bae16257ca039fa6a77f1c9a2b8adbc26 Mon Sep 17 00:00:00 2001 From: des Date: Mon, 19 Mar 2001 22:07:32 +0000 Subject: [PATCH] Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few very specific scenarios, and now that we have had net.inet.tcp.blackhole for quite some time there is really no reason to use it any more. (second of three commits) --- etc/defaults/rc.conf | 1 - etc/network.subr | 7 ------- etc/rc.d/netoptions | 7 ------- etc/rc.d/network1 | 7 ------- etc/rc.d/network2 | 7 ------- etc/rc.d/network3 | 7 ------- etc/rc.d/routing | 7 ------- etc/rc.network | 7 ------- share/man/man5/rc.conf.5 | 8 -------- 9 files changed, 58 deletions(-) diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index d05dc7779afb..27e274f7de20 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -79,7 +79,6 @@ tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). # TCP_RESTRICT_RST set in your kernel. Please refer to LINT for details. tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification -tcp_restrict_rst="NO" # Set to YES to restrict emission of RST icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). diff --git a/etc/network.subr b/etc/network.subr index c1ffb3735a74..fbe8bf3692e9 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index c1ffb3735a74..fbe8bf3692e9 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index c1ffb3735a74..fbe8bf3692e9 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index c1ffb3735a74..fbe8bf3692e9 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index c1ffb3735a74..fbe8bf3692e9 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.d/routing b/etc/rc.d/routing index c1ffb3735a74..fbe8bf3692e9 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/etc/rc.network b/etc/rc.network index c1ffb3735a74..fbe8bf3692e9 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -394,13 +394,6 @@ network_pass1() { ;; esac - case ${tcp_restrict_rst} in - [Yy][Ee][Ss]) - echo -n ' restrict TCP reset=YES' - sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null - ;; - esac - case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 76ec46a02878..cc868300b58d 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -470,14 +470,6 @@ This prevents OS fingerprinting, but may break some legitimate applications. This option is only available if the kernel was built with the TCP_DROP_SYNFIN option. -.It Ar tcp_restrict_rst -(bool) Set to -.Ar NO -by default. -Setting to YES will cause the kernel to refrain from emitting TCP RST frames -in response to invalid TCP packets (e.g. frames destined for closed ports). -This option is only available if the kernel was built with the -TCP_RESTRICT_RST option. .It Ar icmp_drop_redirect (bool) Set to .Ar NO