Amaury Denoyelle 45f40bac4c MEDIUM: config: prevent communication with privileged ports ... This commit introduces a new global setting named harden.reject_privileged_ports.{tcp|quic}. When active, communications with clients which use privileged source ports are forbidden. Such behavior is considered suspicious as it can be used as spoofing or DNS/NTP amplication attack. Value is configured per transport protocol. For each TCP and QUIC distinct code locations are impacted by this setting. The first one is in sock_accept_conn() which acts as a filter for all TCP based communications just after accept() returns a new connection. The second one is dedicated for QUIC communication in quic_recv(). In both cases, if a privileged source port is used and setting is disabled, received message is silently dropped. By default, protection are disabled for both protocols. This is to be able to backport it without breaking changes on stable release. This should be backported as it is an interesting security feature yet relatively simple to implement.		2024-05-24 14:36:31 +02:00
..
haproxy	MEDIUM: config: prevent communication with privileged ports	2024-05-24 14:36:31 +02:00
import	MINOR: ist: define iststrip() new function	2024-04-26 11:29:25 +02:00
make	BUILD: makefile: support USE_xxx=0 as well	2024-04-11 11:06:19 +02:00