grsecurity: support disabling TCP simultaneous connect

Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425

1 files changed, 17 insertions, 0 deletions

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 11668162808f..12401f044a7f 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -194,6 +194,23 @@ in
           '';
         };
 
+        disableSimultConnect = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Disable TCP simultaneous connect.  The TCP simultaneous connect
+            feature allows two clients to connect without either of them
+            entering the listening state.  This feature of the TCP specification
+            is claimed to enable an attacker to deny the target access to a given
+            server by guessing the source port the target would use to make the
+            connection.
+
+            This option is OFF by default because TCP simultaneous connect has
+            some legitimate uses.  Enable this option if you know what this TCP
+            feature is for and know that you do not need it.
+          '';
+        };
+
         verboseVersion = mkOption {
           type = types.bool;
           default = false;