[GNUnet-developers] [PATCH] tcp_stealth: add drop packet mode

Wed, 20 Aug 2014 12:20:35 -0700 

Add a mode which doesn't send a reject for syn packets without a valid key.

A full featured solution could make that choice choosable by setsockopt()
(per socket) or sysctl (system global), but usually a system uses only one
policy in his firewall (either reject or drop). So a configure option
should be good enough for most use cases to mimic the default policy of
the firewall (and isthe shortest patch).

Signed-off-by: Alexander Holler <[email protected]>
---
 net/ipv4/Kconfig    | 9 +++++++++
 net/ipv4/tcp_ipv4.c | 4 ++++
 net/ipv6/tcp_ipv6.c | 4 ++++
 3 files changed, 17 insertions(+)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index d496cbd7..e0ae9a1 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -627,3 +627,12 @@ config TCP_STEALTH
          know what this means, you do not need it.
 
          If unsure, say N.
+
+config TCP_STEALTH_DROP
+       bool "TCP: Stealth drop bad syn packets"
+       depends on TCP_STEALTH
+       default n
+       ---help---
+         Don't reject but be silent on bad syn packets (drop them)
+
+         If unsure, say N.
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 90d4468..1bab2f4 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1591,7 +1591,11 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
            unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH) &&
            tcp_stealth_do_auth(sk, skb)) {
                rsk = sk;
+#ifdef CONFIG_TCP_STEALTH_DROP
+               goto discard;
+#else
                goto reset;
+#endif
        }
 #endif
 
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index f9a3d93..2a9777c 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1417,8 +1417,12 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff 
*skb)
        if (sk->sk_state == TCP_LISTEN && th->syn && !th->fin &&
            tp->stealth.mode & TCP_STEALTH_MODE_AUTH &&
            tcp_stealth_do_auth(sk, skb))
+#ifdef CONFIG_TCP_STEALTH_DROP
+               goto discard;
+#else
                goto reset;
 #endif
+#endif
 
        if (sk->sk_state == TCP_LISTEN) {
                struct sock *nsk = tcp_v6_hnd_req(sk, skb);
-- 
1.8.3.1


_______________________________________________
GNUnet-developers mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/gnunet-developers

Reply via email to