---
- branch: MAIN
  date: Thu Mar  1 06:08:44 UTC 2018
  files:
  - new: '1.383'
    old: '1.382'
    path: src/sys/netinet/tcp_input.c
    pathrev: src/sys/netinet/tcp_input.c@1.383
    type: modified
  id: 20180301T060844Z.eda924ccc7b12a41963d3e4b1276a0892e32c98e
  log: |
    Revert rev1.183 (2003).

    It was intended as an optimization, but it increases the attack surface:
    the IPsec policy is not enforced on RST packets when the socket is in the
    LISTEN state, and an (unauthenticated) attacker could jam the connection
    between two IPsec hosts by sending RST packets between the client's SYN
    and ACK packets.

    Discussed with ozaki-r@.
  module: src
  subject: 'CVS commit: src/sys/netinet'
  unixtime: '1519884524'
  user: maxv