mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
dc5a89c948
RFC 1337 describes various TCP (side channel) attacks against prematurely closed connections stalling in TIME-WAIT state, such as DoS or injecting arbitrary TCP segments, and recommends to silently discard RST packets for sockets in this state. While applications still tied to such sockets should tolerate invalid input (thanks to Jon Postel), there is little legitimate reason to send such RST packets altogether. At the time of writing, no collateral damage related to active RFC 1337 implementations is known. Measuerements in productive environments did not reveal any side effects either, which is why I consider enabling RFC 1337 implementation to be a safe change. See also: https://tools.ietf.org/html/rfc1337 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>