Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/src/kernel/hardened-patches/hardened-patches-2.6-7.6/2010_tcp-stealth-2.6.7.patch
diff options
context:
space:
mode:
Diffstat (limited to 'src/kernel/hardened-patches/hardened-patches-2.6-7.6/2010_tcp-stealth-2.6.7.patch')
-rw-r--r--src/kernel/hardened-patches/hardened-patches-2.6-7.6/2010_tcp-stealth-2.6.7.patch184
1 files changed, 184 insertions, 0 deletions
diff --git a/src/kernel/hardened-patches/hardened-patches-2.6-7.6/2010_tcp-stealth-2.6.7.patch b/src/kernel/hardened-patches/hardened-patches-2.6-7.6/2010_tcp-stealth-2.6.7.patch
new file mode 100644
index 0000000000..cd2eb529cd
--- /dev/null
+++ b/src/kernel/hardened-patches/hardened-patches-2.6-7.6/2010_tcp-stealth-2.6.7.patch
@@ -0,0 +1,184 @@
+diff -uprN -X dontdiff linux-2.6.7/include/linux/sysctl.h linux-2.6.7-tcp-stealth/include/linux/sysctl.h
+--- linux-2.6.7/include/linux/sysctl.h 2004-06-16 07:19:35.000000000 +0200
++++ linux-2.6.7-tcp-stealth/include/linux/sysctl.h 2004-06-24 11:27:56.753248176 +0200
+@@ -338,6 +338,10 @@ enum
+ NET_TCP_BIC_LOW_WINDOW=104,
+ NET_TCP_DEFAULT_WIN_SCALE=105,
+ NET_TCP_MODERATE_RCVBUF=106,
++ NET_IPV4_IP_MASQ_UDP_DLOOSE=107,
++ NET_TCP_STACK_SYNFIN=108,
++ NET_TCP_STACK_BOGUS=109,
++ NET_TCP_STACK_ACK=110,
+ };
+
+ enum {
+diff -uprN -X dontdiff linux-2.6.7/net/ipv4/Kconfig linux-2.6.7-tcp-stealth/net/ipv4/Kconfig
+--- linux-2.6.7/net/ipv4/Kconfig 2004-06-16 07:19:44.000000000 +0200
++++ linux-2.6.7-tcp-stealth/net/ipv4/Kconfig 2004-06-24 11:25:42.504657064 +0200
+@@ -324,6 +324,29 @@ config SYN_COOKIES
+
+ If unsure, say N.
+
++config NET_STEALTH
++ bool "IP: TCP stealth options (enabled per default)"
++ depends on INET
++ default n
++ ---help---
++ If you say Y here, note that these options are now enabled by
++ default; you can disable them by executing the commands
++
++ echo 0 >/proc/sys/net/ipv4/tcp_ignore_ack
++ echo 0 >/proc/sys/net/ipv4/tcp_ignore_bogus
++ echo 0 >/proc/sys/net/ipv4/tcp_ignore_synfin
++
++ at boot time after the /proc file system has been mounted.
++
++ If security is more important, say Y.
++
++config NET_STEALTH_LOG
++ bool 'Log all dropped packets'
++ depends on NET_STEALTH
++ ---help---
++ This turns on a logging facility that logs all tcp packets with
++ bad flags. If you said Y to "TCP stealth options", say Y too.
++
+ config INET_AH
+ tristate "IP: AH transformation"
+ select XFRM
+diff -uprN -X dontdiff linux-2.6.7/net/ipv4/sysctl_net_ipv4.c linux-2.6.7-tcp-stealth/net/ipv4/sysctl_net_ipv4.c
+--- linux-2.6.7/net/ipv4/sysctl_net_ipv4.c 2004-06-16 07:19:43.000000000 +0200
++++ linux-2.6.7-tcp-stealth/net/ipv4/sysctl_net_ipv4.c 2004-06-24 11:25:42.516655240 +0200
+@@ -48,6 +48,11 @@ extern int inet_peer_maxttl;
+ extern int inet_peer_gc_mintime;
+ extern int inet_peer_gc_maxtime;
+
++/* stealth stuff */
++extern int sysctl_tcp_ignore_synfin;
++extern int sysctl_tcp_ignore_bogus;
++extern int sysctl_tcp_ignore_ack;
++
+ #ifdef CONFIG_SYSCTL
+ static int tcp_retr1_max = 255;
+ static int ip_local_port_range_min[] = { 1, 1 };
+@@ -320,6 +325,32 @@ ctl_table ipv4_table[] = {
+ .proc_handler = &proc_dointvec
+ },
+ #endif
++#ifdef CONFIG_NET_STEALTH
++ {
++ .ctl_name = NET_TCP_STACK_SYNFIN,
++ .procname = "tcp_ignore_synfin",
++ .data = &sysctl_tcp_ignore_synfin,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = &proc_dointvec
++ },
++ {
++ .ctl_name = NET_TCP_STACK_BOGUS,
++ .procname = "tcp_ignore_bogus",
++ .data = &sysctl_tcp_ignore_bogus,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = &proc_dointvec
++ },
++ {
++ .ctl_name = NET_TCP_STACK_ACK,
++ .procname = "tcp_ignore_ack",
++ .data = &sysctl_tcp_ignore_ack,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = &proc_dointvec
++ },
++#endif
+ {
+ .ctl_name = NET_TCP_TW_RECYCLE,
+ .procname = "tcp_tw_recycle",
+diff -uprN -X dontdiff linux-2.6.7/net/ipv4/tcp_input.c linux-2.6.7-tcp-stealth/net/ipv4/tcp_input.c
+--- linux-2.6.7/net/ipv4/tcp_input.c 2004-06-16 07:19:43.000000000 +0200
++++ linux-2.6.7-tcp-stealth/net/ipv4/tcp_input.c 2004-06-24 11:25:42.538651896 +0200
+@@ -75,6 +75,11 @@
+ int sysctl_tcp_timestamps = 1;
+ int sysctl_tcp_window_scaling = 1;
+ int sysctl_tcp_sack = 1;
++#ifdef CONFIG_NET_STEALTH
++int sysctl_tcp_ignore_synfin = 1;
++int sysctl_tcp_ignore_bogus = 1;
++int sysctl_tcp_ignore_ack = 1;
++#endif
+ int sysctl_tcp_fack = 1;
+ int sysctl_tcp_reordering = TCP_FASTRETRANS_THRESH;
+ int sysctl_tcp_ecn;
+diff -uprN -X dontdiff linux-2.6.7/net/ipv4/tcp_ipv4.c linux-2.6.7-tcp-stealth/net/ipv4/tcp_ipv4.c
+--- linux-2.6.7/net/ipv4/tcp_ipv4.c 2004-06-16 07:19:10.000000000 +0200
++++ linux-2.6.7-tcp-stealth/net/ipv4/tcp_ipv4.c 2004-06-24 11:25:42.551649920 +0200
+@@ -79,6 +79,12 @@ extern int sysctl_ip_dynaddr;
+ int sysctl_tcp_tw_reuse;
+ int sysctl_tcp_low_latency;
+
++#ifdef CONFIG_NET_STEALTH
++extern int sysctl_tcp_ignore_synfin;
++extern int sysctl_tcp_ignore_bogus;
++extern int sysctl_tcp_ignore_ack;
++#endif
++
+ /* Check TCP sequence numbers in ICMP packets. */
+ #define ICMP_MIN_LENGTH 8
+
+@@ -1763,6 +1769,23 @@ int tcp_v4_rcv(struct sk_buff *skb)
+ tcp_v4_checksum_init(skb) < 0))
+ goto bad_packet;
+
++#ifdef CONFIG_NET_STEALTH
++ if(sysctl_tcp_ignore_synfin) {
++ if(th->fin && th->syn)
++ goto tcp_bad_flags;
++ }
++
++ if(sysctl_tcp_ignore_bogus) {
++ if(!(th->ack || th->syn || th->rst) || th->res1)
++ goto tcp_bad_flags;
++ }
++
++ if(sysctl_tcp_ignore_ack) {
++ if(th->fin && th->psh && th->urg)
++ goto tcp_bad_flags;
++ }
++#endif
++
+ th = skb->h.th;
+ TCP_SKB_CB(skb)->seq = ntohl(th->seq);
+ TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
+@@ -1804,6 +1827,33 @@ process:
+
+ return ret;
+
++#ifdef CONFIG_NET_STEALTH_LOG
++tcp_bad_flags:
++ printk(KERN_INFO
++ "Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d "
++ "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u "
++ "T=%hu %c%c%c%c%c%c%c%c%c\n",
++ skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source),
++ NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest),
++ ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4,
++ skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq),
++ ntohl(th->ack_seq), skb->nh.iph->ttl,
++ th->res1 ? '1' : '.',
++ th->ece ? 'E' : '.',
++ th->cwr ? 'C' : '.',
++ th->ack ? 'A' : '.',
++ th->syn ? 'S' : '.',
++ th->fin ? 'F' : '.',
++ th->rst ? 'R' : '.',
++ th->psh ? 'P' : '.',
++ th->urg ? 'U' : '.' );
++ goto bad_packet;
++#else
++tcp_bad_flags:
++ goto bad_packet;
++
++#endif /* CONFIG_NET_STEALTH_LOG */
++
+ no_tcp_socket:
+ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+ goto discard_it;