Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few

very specific scenarios, and now that we have had net.inet.tcp.blackhole for quite some time there is really no reason to use it any more. (second of three commits)
2001-03-19 22:07:32 +00:00 · 2001-03-19 22:07:32 +00:00 · cc084f7587
commit cc084f7587
parent 11b876c98e
9 changed files with 0 additions and 58 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -79,7 +79,6 @@ tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
 # TCP_RESTRICT_RST set in your kernel. Please refer to LINT for details.
 tcp_drop_synfin="NO"		# Set to YES to drop TCP packets with SYN+FIN
 				# NOTE: this violates the TCP specification
-tcp_restrict_rst="NO"		# Set to YES to restrict emission of RST
 icmp_drop_redirect="NO"		# Set to YES to ignore ICMP REDIRECT packets
 icmp_log_redirect="NO"		# Set to YES to log ICMP REDIRECT packets
 network_interfaces="auto"	# List of network interfaces (or "auto").
--- a/etc/network.subr
+++ b/etc/network.subr
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/netoptions
+++ b/etc/rc.d/netoptions
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/network1
+++ b/etc/rc.d/network1
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/network2
+++ b/etc/rc.d/network2
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/network3
+++ b/etc/rc.d/network3
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.d/routing
+++ b/etc/rc.d/routing
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/etc/rc.network
+++ b/etc/rc.network
@ -394,13 +394,6 @@ network_pass1() {
 		;;
 	esac

-	case ${tcp_restrict_rst} in
-	[Yy][Ee][Ss])
-		echo -n ' restrict TCP reset=YES'
-		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
-		;;
-	esac
-
 	case ${tcp_drop_synfin} in
 	[Yy][Ee][Ss])
 		echo -n ' drop SYN+FIN packets=YES'
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -470,14 +470,6 @@ This prevents OS fingerprinting, but may
 break some legitimate applications.
 This option is only available if the
 kernel was built with the TCP_DROP_SYNFIN option.
-.It Ar tcp_restrict_rst
-(bool) Set to
-.Ar NO
-by default.
-Setting to YES will cause the kernel to refrain from emitting TCP RST frames
-in response to invalid TCP packets (e.g. frames destined for closed ports).
-This option is only available if the kernel was built with the
-TCP_RESTRICT_RST option.
 .It Ar icmp_drop_redirect
 (bool) Set to
 .Ar NO