Add net.inet.tcp.blackhole and net.inet.udp.blackhole
sysctl knobs. With these knobs on, refused connection attempts are dropped without sending a RST, or Port unreachable in the UDP case. In the TCP case, sending of RST is inhibited iff the incoming segment was a SYN. Docs and rc.conf settings to follow.
This commit is contained in:
parent
cf21d97ccd
commit
83e27dbadf
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)tcp_input.c 8.12 (Berkeley) 5/24/95
|
||||
* $Id: tcp_input.c,v 1.86 1999/05/06 18:13:01 peter Exp $
|
||||
* $Id: tcp_input.c,v 1.87 1999/07/18 14:42:48 jmb Exp $
|
||||
*/
|
||||
|
||||
#include "opt_ipfw.h" /* for ipfw_fwd */
|
||||
@ -84,6 +84,10 @@ static int log_in_vain = 0;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW,
|
||||
&log_in_vain, 0, "Log all incoming TCP connections");
|
||||
|
||||
static int blackhole = 0;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
|
||||
&blackhole, 0, "Do not send RST when dropping refused connections");
|
||||
|
||||
int tcp_delack_enabled = 1;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
|
||||
&tcp_delack_enabled, 0,
|
||||
@ -404,7 +408,10 @@ tcp_input(m, iphlen)
|
||||
if (badport_bandlim(1) < 0)
|
||||
goto drop;
|
||||
#endif
|
||||
goto dropwithreset;
|
||||
if(blackhole && tiflags & TH_SYN)
|
||||
goto drop;
|
||||
else
|
||||
goto dropwithreset;
|
||||
}
|
||||
tp = intotcpcb(inp);
|
||||
if (tp == 0)
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)tcp_input.c 8.12 (Berkeley) 5/24/95
|
||||
* $Id: tcp_input.c,v 1.86 1999/05/06 18:13:01 peter Exp $
|
||||
* $Id: tcp_input.c,v 1.87 1999/07/18 14:42:48 jmb Exp $
|
||||
*/
|
||||
|
||||
#include "opt_ipfw.h" /* for ipfw_fwd */
|
||||
@ -84,6 +84,10 @@ static int log_in_vain = 0;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW,
|
||||
&log_in_vain, 0, "Log all incoming TCP connections");
|
||||
|
||||
static int blackhole = 0;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_RW,
|
||||
&blackhole, 0, "Do not send RST when dropping refused connections");
|
||||
|
||||
int tcp_delack_enabled = 1;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_RW,
|
||||
&tcp_delack_enabled, 0,
|
||||
@ -404,7 +408,10 @@ tcp_input(m, iphlen)
|
||||
if (badport_bandlim(1) < 0)
|
||||
goto drop;
|
||||
#endif
|
||||
goto dropwithreset;
|
||||
if(blackhole && tiflags & TH_SYN)
|
||||
goto drop;
|
||||
else
|
||||
goto dropwithreset;
|
||||
}
|
||||
tp = intotcpcb(inp);
|
||||
if (tp == 0)
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)udp_usrreq.c 8.6 (Berkeley) 5/23/95
|
||||
* $Id: udp_usrreq.c,v 1.52 1999/06/19 18:43:33 green Exp $
|
||||
* $Id: udp_usrreq.c,v 1.53 1999/07/11 18:32:46 green Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -78,6 +78,10 @@ static int log_in_vain = 0;
|
||||
SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW,
|
||||
&log_in_vain, 0, "Log all incoming UDP packets");
|
||||
|
||||
static int blackhole = 0;
|
||||
SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_RW,
|
||||
&blackhole, 0, "Do not send port unreachables for refused connects");
|
||||
|
||||
static struct inpcbhead udb; /* from udp_var.h */
|
||||
struct inpcbinfo udbinfo;
|
||||
|
||||
@ -302,7 +306,8 @@ udp_input(m, iphlen)
|
||||
if (badport_bandlim(0) < 0)
|
||||
goto bad;
|
||||
#endif
|
||||
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
|
||||
if(!blackhole)
|
||||
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
|
||||
return;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user