git: 02d15215cef2 - main - tcp: improve blackhole support

From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Sat, 25 May 2024 08:30:55 UTC
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=02d15215cef2a28f1865e6ad5b19f18af1398b8b

commit 02d15215cef2a28f1865e6ad5b19f18af1398b8b
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-05-24 04:59:13 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-05-24 04:59:13 +0000

    tcp: improve blackhole support
    
    There are two improvements to the TCP blackhole support:
    (1) If net.inet.tcp.blackhole is set to 2, also sent no RST whenever
        a segment is received on an existing closed socket or if there is
        a port mismatch when using UDP encapsulation.
    (2) If net.inet.tcp.blackhole is set to 3, no RST segment is sent in
        response to incoming segments on closed sockets or in response to
        unexpected segments on listening sockets.
    Thanks to gallatin@ for suggesting such an improvement.
    
    Reviewed by:            gallatin
    MFC after:              1 week
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D45304
---
 share/man/man4/blackhole.4 | 10 +++++++---
 sys/netinet/tcp_input.c    | 43 +++++++++++++++++++------------------------
 2 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/share/man/man4/blackhole.4 b/share/man/man4/blackhole.4
index 090f330a6ed8..bb955fd4497d 100644
--- a/share/man/man4/blackhole.4
+++ b/share/man/man4/blackhole.4
@@ -10,7 +10,7 @@
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\"
-.Dd May 22, 2024
+.Dd May 25, 2024
 .Dt BLACKHOLE 4
 .Os
 .Sh NAME
@@ -21,7 +21,7 @@ MIB for manipulating behaviour in respect of refused SCTP, TCP, or UDP connectio
 attempts
 .Sh SYNOPSIS
 .Cd sysctl net.inet.sctp.blackhole Ns Op = Ns Brq "0 | 1 | 2"
-.Cd sysctl net.inet.tcp.blackhole Ns Op = Ns Brq "0 | 1 | 2"
+.Cd sysctl net.inet.tcp.blackhole Ns Op = Ns Brq "0 | 1 | 2 | 3"
 .Cd sysctl net.inet.tcp.blackhole_local Ns Op = Ns Brq "0 | 1"
 .Cd sysctl net.inet.udp.blackhole Ns Op = Ns Brq "0 | 1"
 .Cd sysctl net.inet.udp.blackhole_local Ns Op = Ns Brq "0 | 1"
@@ -30,7 +30,8 @@ The
 .Nm
 .Xr sysctl 8
 MIB is used to control system behaviour when connection requests
-are received on SCTP, TCP, or UDP ports where there is no socket listening.
+are received on SCTP, TCP, or UDP ports where there is no socket listening
+or unexpected packets are received on listening sockets.
 .Pp
 The blackhole behaviour is useful to slow down an attacker who is port-scanning
 a system in an attempt to detect vulnerable services.
@@ -61,6 +62,9 @@ is merely dropped, and no RST is sent, making the system appear
 as a blackhole.
 By setting the MIB value to two, any segment arriving
 on a closed port is dropped without returning a RST.
+Setting the MIB value to three, any segment arriving on a closed port
+or an unexpected segment on a listening port is dropped without sending a
+RST in reply.
 This provides some degree of protection against stealth port scans.
 .Ss UDP
 Enabling blackhole behaviour turns off the sending
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 56327bd99cd7..08ff84039c90 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -915,23 +915,6 @@ findpcb:
 				log(LOG_INFO, "%s; %s: Connection attempt "
 				    "to closed port\n", s, __func__);
 		}
-		/*
-		 * When blackholing do not respond with a RST but
-		 * completely ignore the segment and drop it.
-		 */
-		if (((V_blackhole == 1 && (thflags & TH_SYN)) ||
-		    V_blackhole == 2) && (V_blackhole_local || (
-#ifdef INET6
-		    isipv6 ? !in6_localaddr(&ip6->ip6_src) :
-#endif
-#ifdef INET
-		    !in_localip(ip->ip_src)
-#else
-		    true
-#endif
-		    )))
-			goto dropunlock;
-
 		rstreason = BANDLIM_RST_CLOSEDPORT;
 		goto dropwithreset;
 	}
@@ -1410,15 +1393,27 @@ tfo_socket_result:
 	return (IPPROTO_DONE);
 
 dropwithreset:
+	/*
+	 * When blackholing do not respond with a RST but
+	 * completely ignore the segment and drop it.
+	 */
+	if (((rstreason == BANDLIM_RST_OPENPORT && V_blackhole == 3) ||
+	    (rstreason == BANDLIM_RST_CLOSEDPORT &&
+	    ((V_blackhole == 1 && (thflags & TH_SYN)) || V_blackhole > 1))) &&
+	    (V_blackhole_local || (
+#ifdef INET6
+	    isipv6 ? !in6_localaddr(&ip6->ip6_src) :
+#endif
+#ifdef INET
+	    !in_localip(ip->ip_src)
+#else
+	    true
+#endif
+	    )))
+		goto dropunlock;
 	TCP_PROBE5(receive, NULL, tp, m, tp, th);
-
-	if (inp != NULL) {
-		tcp_dropwithreset(m, th, tp, tlen, rstreason);
-		INP_UNLOCK(inp);
-	} else
-		tcp_dropwithreset(m, th, NULL, tlen, rstreason);
+	tcp_dropwithreset(m, th, tp, tlen, rstreason);
 	m = NULL;	/* mbuf chain got consumed. */
-	goto drop;
 
 dropunlock:
 	if (m != NULL)