diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-04 02:20:49 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-04 03:53:24 +0200 |
commit | da767356f275785950c9847428b60be2d6753943 (patch) | |
tree | 5b285a69404860917ce2dfd7769f90bc5bf47014 /nixos/modules/security/grsecurity.nix | |
parent | c5451206ab3d2b2e4442b9e59e6b1fd978a9d57f (diff) | |
download | nixlib-da767356f275785950c9847428b60be2d6753943.tar nixlib-da767356f275785950c9847428b60be2d6753943.tar.gz nixlib-da767356f275785950c9847428b60be2d6753943.tar.bz2 nixlib-da767356f275785950c9847428b60be2d6753943.tar.lz nixlib-da767356f275785950c9847428b60be2d6753943.tar.xz nixlib-da767356f275785950c9847428b60be2d6753943.tar.zst nixlib-da767356f275785950c9847428b60be2d6753943.zip |
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some legitimate use cases, notably WebRTC [1], but it's nice to provide the option for deployments where those features are unneeded anyway. This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937 [1]: http://article.gmane.org/gmane.linux.documentation/9425
Diffstat (limited to 'nixos/modules/security/grsecurity.nix')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 11668162808f..12401f044a7f 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -194,6 +194,23 @@ in ''; }; + disableSimultConnect = mkOption { + type = types.bool; + default = false; + description = '' + Disable TCP simultaneous connect. The TCP simultaneous connect + feature allows two clients to connect without either of them + entering the listening state. This feature of the TCP specification + is claimed to enable an attacker to deny the target access to a given + server by guessing the source port the target would use to make the + connection. + + This option is OFF by default because TCP simultaneous connect has + some legitimate uses. Enable this option if you know what this TCP + feature is for and know that you do not need it. + ''; + }; + verboseVersion = mkOption { type = types.bool; default = false; |