summaryrefslogtreecommitdiffstats
path: root/sys-kernel/boest-v4.4.198/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
diff options
context:
space:
mode:
Diffstat (limited to 'sys-kernel/boest-v4.4.198/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch')
-rw-r--r--sys-kernel/boest-v4.4.198/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch142
1 files changed, 142 insertions, 0 deletions
diff --git a/sys-kernel/boest-v4.4.198/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch b/sys-kernel/boest-v4.4.198/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
new file mode 100644
index 00000000..b84e9457
--- /dev/null
+++ b/sys-kernel/boest-v4.4.198/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
@@ -0,0 +1,142 @@
+From dc24bc7c3e9fed59452bb7b4cd4fa575963fa295 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 8 Oct 2008 10:00:42 +0200
+Subject: [PATCH 04/20] TCP: add a sysctl to disable simultaneous connection
+ opening.
+
+Strict implementation of RFC793 (TCP) requires support for a feature
+called "simultaneous connect", which allows two clients to connect to
+each other without anyone entering a listening state. While almost
+never used, and supported by few OSes, Linux supports this feature.
+
+However, it introduces a weakness in the protocol which makes it very
+easy for an attacker to prevent a client from connecting to a known
+server. The attacker only has to guess the source port to shut down
+the client connection during its establishment. The impact is limited,
+but it may be used to prevent an antivirus or IPS from fetching updates
+and not detecting an attack, or to prevent an SSL gateway from fetching
+a CRL for example.
+
+This patch provides a new sysctl "tcp_simult_connect" to enable or disable
+support for this useless feature. It comes disabled by default.
+
+Hundreds of systems running with that feature disabled for more than 4 years
+have never encountered an application which requires it. It is almost never
+supported by firewalls BTW.
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Reviewed-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ Documentation/networking/ip-sysctl.txt | 22 ++++++++++++++++++++++
+ include/net/tcp.h | 1 +
+ include/uapi/linux/sysctl.h | 1 +
+ net/ipv4/sysctl_net_ipv4.c | 7 +++++++
+ net/ipv4/tcp_input.c | 6 +++++-
+ 5 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index 225348168675..db8010e912b8 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -169,6 +169,28 @@ inet_peer_maxttl - INTEGER
+
+ TCP variables:
+
++tcp_simult_connect - BOOLEAN
++ Enables TCP simultaneous connect feature conforming to RFC793.
++ Strict implementation of RFC793 (TCP) requires support for a feature
++ called "simultaneous connect", which allows two clients to connect to
++ each other without anyone entering a listening state. While almost
++ never used, and supported by few OSes, Linux supports this feature.
++
++ However, it introduces a weakness in the protocol which makes it very
++ easy for an attacker to prevent a client from connecting to a known
++ server. The attacker only has to guess the source port to shut down
++ the client connection during its establishment. The impact is limited,
++ but it may be used to prevent an antivirus or IPS from fetching updates
++ and not detecting an attack, or to prevent an SSL gateway from fetching
++ a CRL for example.
++
++ If you want absolute compatibility with any possible application,
++ you should set it to 1. If you prefer to enhance security on your
++ systems you'd better let it to 0. After four years of usage on
++ hundreds of systems, no application was ever found to require this
++ feature, which is not even supported by most firewalls.
++ Default: 0
++
+ somaxconn - INTEGER
+ Limit of socket listen() backlog, known in userspace as SOMAXCONN.
+ Defaults to 128. See also tcp_max_syn_backlog for additional tuning
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 2a349b7e74be..aa160257eb7f 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -274,6 +274,7 @@ extern int sysctl_tcp_moderate_rcvbuf;
+ extern int sysctl_tcp_tso_win_divisor;
+ extern int sysctl_tcp_workaround_signed_windows;
+ extern int sysctl_tcp_slow_start_after_idle;
++extern int sysctl_tcp_simult_connect;
+ extern int sysctl_tcp_thin_linear_timeouts;
+ extern int sysctl_tcp_thin_dupack;
+ extern int sysctl_tcp_early_retrans;
+diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
+index 0956373b56db..9ceafe8efb42 100644
+--- a/include/uapi/linux/sysctl.h
++++ b/include/uapi/linux/sysctl.h
+@@ -426,6 +426,7 @@ enum
+ NET_TCP_ALLOWED_CONG_CONTROL=123,
+ NET_TCP_MAX_SSTHRESH=124,
+ NET_TCP_FRTO_RESPONSE=125,
++ NET_TCP_SIMULT_CONNECT=126,
+ };
+
+ enum {
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 6413e36d639d..78fbc98ac787 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -542,6 +542,13 @@ static struct ctl_table ipv4_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_doulongvec_minmax,
+ },
++ {
++ .procname = "tcp_simult_connect",
++ .data = &sysctl_tcp_simult_connect,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = &proc_dointvec,
++ },
+ {
+ .procname = "tcp_wmem",
+ .data = &sysctl_tcp_wmem,
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index b0677b265b48..2312e64c2a9c 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -96,6 +96,7 @@ int sysctl_tcp_rfc1337 __read_mostly;
+ int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
+ int sysctl_tcp_frto __read_mostly = 2;
+ int sysctl_tcp_min_rtt_wlen __read_mostly = 300;
++int sysctl_tcp_simult_connect __read_mostly;
+
+ int sysctl_tcp_thin_dupack __read_mostly;
+
+@@ -5816,10 +5817,13 @@ discard:
+ tcp_paws_reject(&tp->rx_opt, 0))
+ goto discard_and_undo;
+
+- if (th->syn) {
++ if (th->syn && sysctl_tcp_simult_connect) {
+ /* We see SYN without ACK. It is attempt of
+ * simultaneous connect with crossed SYNs.
+ * Particularly, it can be connect to self.
++ * This feature is disabled by default as it introduces
++ * weakness in the protocol. It can be enabled by a
++ * sysctl.
+ */
+ tcp_set_state(sk, TCP_SYN_RECV);
+