[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-developers] [PATCH] tcp_stealth: add drop packet mode

From: Alexander Holler
Subject: [GNUnet-developers] [PATCH] tcp_stealth: add drop packet mode
Date: Wed, 20 Aug 2014 15:34:22 +0200

Add a mode which doesn't send a reject for syn packets without a valid key.

A full featured solution could make that choice choosable by setsockopt()
(per socket) or sysctl (system global), but usually a system uses only one
policy in his firewall (either reject or drop). So a configure option
should be good enough for most use cases to mimic the default policy of
the firewall (and isthe shortest patch).

Signed-off-by: Alexander Holler <address@hidden>
 net/ipv4/Kconfig    | 9 +++++++++
 net/ipv4/tcp_ipv4.c | 4 ++++
 net/ipv6/tcp_ipv6.c | 4 ++++
 3 files changed, 17 insertions(+)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index d496cbd7..e0ae9a1 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -627,3 +627,12 @@ config TCP_STEALTH
          know what this means, you do not need it.
          If unsure, say N.
+       bool "TCP: Stealth drop bad syn packets"
+       depends on TCP_STEALTH
+       default n
+       ---help---
+         Don't reject but be silent on bad syn packets (drop them)
+         If unsure, say N.
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 90d4468..1bab2f4 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1591,7 +1591,11 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
            unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH) &&
            tcp_stealth_do_auth(sk, skb)) {
                rsk = sk;
+               goto discard;
                goto reset;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index f9a3d93..2a9777c 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1417,8 +1417,12 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff 
        if (sk->sk_state == TCP_LISTEN && th->syn && !th->fin &&
            tp->stealth.mode & TCP_STEALTH_MODE_AUTH &&
            tcp_stealth_do_auth(sk, skb))
+               goto discard;
                goto reset;
        if (sk->sk_state == TCP_LISTEN) {
                struct sock *nsk = tcp_v6_hnd_req(sk, skb);

reply via email to

[Prev in Thread] Current Thread [Next in Thread]