sys-kernel/linux-{image,sources}-redcore-lts-legacy : drop/disable GRSECURITY stealth networking, breaks IPv6

6 files changed, 854 insertions, 2 deletions

diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
index 7dbc8f7a..a04d18cc 100644
--- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
+++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
@@ -8749,7 +8749,6 @@ CONFIG_DEFAULT_SECURITY="apparmor"
 # Hardened Enhancements
 #
 CONFIG_HARDENED_RANDOM=y
-CONFIG_HARDENED_STEALTH_NETWORKING=y
 CONFIG_HARDENED_NO_SIMULT_CONNECT=y
 CONFIG_HARDENED_SYSFS_RESTRICT=y
 CONFIG_HARDENED_FIFO=y
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
new file mode 100644
index 00000000..d290f937
--- /dev/null
+++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
@@ -0,0 +1,426 @@
+diff -Nur a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
+--- a/include/uapi/linux/ip.h	2020-03-07 21:59:46.833570272 +0000
++++ b/include/uapi/linux/ip.h	2020-03-07 22:06:28.909470648 +0000
+@@ -66,9 +66,6 @@
+ 
+ #define IPVERSION	4
+ #define MAXTTL		255
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-#define IPDEFTTL	128
+-#else
+ #define IPDEFTTL	64
+ #endif
+ 
+diff -Nur a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
+--- a/net/core/sysctl_net_core.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/core/sysctl_net_core.c	2020-03-07 22:07:10.190076177 +0000
+@@ -36,10 +36,6 @@
+ int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0;
+ EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net);
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-int sysctl_stealth_blackhole __read_mostly = 1;
+-#endif
+-
+ #ifdef CONFIG_RPS
+ static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
+ 				void __user *buffer, size_t *lenp, loff_t *ppos)
+@@ -509,17 +505,6 @@
+ 		.proc_handler	= set_default_qdisc
+ 	},
+ #endif
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	{
+-		.procname	= "ip_blackhole",
+-		.data		= &sysctl_stealth_blackhole,
+-		.maxlen		= sizeof(int),
+-		.mode		= 0644,
+-		.proc_handler   = proc_dointvec_minmax,
+-		.extra1		= &zero,
+-		.extra2		= &one,
+-	},
+-#endif
+ #endif /* CONFIG_NET */
+ 	{
+ 		.procname	= "netdev_budget",
+diff -Nur a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+--- a/net/ipv4/icmp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/icmp.c	2020-03-07 22:08:25.271177396 +0000
+@@ -195,10 +195,6 @@
+ 	short   error;		/* This ICMP is classed as an error message */
+ };
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1];
+ 
+ /*
+@@ -938,11 +934,6 @@
+ {
+ 	struct net *net;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
+-		return true;
+-#endif
+-
+ 	net = dev_net(skb_dst(skb)->dev);
+ 	if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
+ 		struct icmp_bxm icmp_param;
+@@ -970,11 +961,6 @@
+ {
+ 	struct icmp_bxm icmp_param;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
+-		return true;
+-#endif
+-
+ 	/*
+ 	 *	Too short.
+ 	 */
+diff -Nur a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/igmp.c	2020-03-07 22:09:13.161879736 +0000
+@@ -136,10 +136,6 @@
+ 	 ((in_dev)->mr_v2_seen && \
+ 	  time_before(jiffies, (in_dev)->mr_v2_seen)))
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static int unsolicited_report_interval(struct in_device *in_dev)
+ {
+ 	int interval_ms, interval_jiffies;
+@@ -741,11 +737,6 @@
+ 	__be32	dst;
+ 	int hlen, tlen;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole))
+-		return -1;
+-#endif
+-
+ 	if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
+ 		return igmpv3_send_report(in_dev, pmc);
+ 
+diff -Nur a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+--- a/net/ipv4/tcp_ipv4.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/tcp_ipv4.c	2020-03-07 22:12:16.564568875 +0000
+@@ -95,10 +95,6 @@
+ struct inet_hashinfo tcp_hashinfo;
+ EXPORT_SYMBOL(tcp_hashinfo);
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static u32 tcp_v4_init_seq(const struct sk_buff *skb)
+ {
+ 	return secure_tcp_seq(ip_hdr(skb)->daddr,
+@@ -1565,9 +1561,6 @@
+ 	return 0;
+ 
+ reset:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (!likely(sysctl_stealth_blackhole))
+-#endif
+ 	tcp_v4_send_reset(rsk, skb);
+ discard:
+ 	kfree_skb(skb);
+@@ -1716,27 +1709,6 @@
+ 	if (!pskb_may_pull(skb, th->doff * 4))
+ 		goto discard_it;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole) &&
+-	    (
+-			th->res1 || !tcp_flag_word(th) ||
+-			tcp_flag_word(th) == TCP_FLAG_PSH ||
+-			tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
+-			(
+-				tcp_flag_word(th) &
+-					(TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
+-				tcp_flag_word(th) & TCP_FLAG_URG
+-			) ||
+-			(
+-				tcp_flag_word(th) &
+-					(TCP_FLAG_FIN | TCP_FLAG_RST) &&
+-				tcp_flag_word(th) & TCP_FLAG_SYN
+-			)
+-		)
+-	)
+-		goto discard_it;
+-#endif
+-
+ 	/* An explanation is required here, I think.
+ 	 * Packet length and doff are validated by header prediction,
+ 	 * provided case of th->doff==0 is eliminated.
+@@ -1750,22 +1722,12 @@
+ lookup:
+ 	sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source,
+ 			       th->dest, sdif, &refcounted);
+-	if (!sk) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		ret = 1;
+-#endif
+-
++	if (!sk)
+ 		goto no_tcp_socket;
+-	}
+ 
+ process:
+-	if (sk->sk_state == TCP_TIME_WAIT) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		ret = 2;
+-#endif
+-
++	if (sk->sk_state == TCP_TIME_WAIT)
+ 		goto do_time_wait;
+-	}
+ 
+ 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
+ 		struct request_sock *req = inet_reqsk(sk);
+@@ -1879,10 +1841,6 @@
+ bad_packet:
+ 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
+ 	} else {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		if (!sysctl_stealth_blackhole || (ret == 1 &&
+-						  (skb->dev->flags & IFF_LOOPBACK)))
+-#endif
+ 
+ 		tcp_v4_send_reset(NULL, skb);
+ 	}
+diff -Nur a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
+--- a/net/ipv4/tcp_minisocks.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/tcp_minisocks.c	2020-03-07 22:12:39.754908842 +0000
+@@ -29,10 +29,6 @@
+ #include <net/xfrm.h>
+ #include <net/busy_poll.h>
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win)
+ {
+ 	if (seq == s_win)
+@@ -813,10 +809,6 @@
+ 		 * avoid becoming vulnerable to outside attack aiming at
+ 		 * resetting legit local connections.
+ 		 */
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+-
+ 		req->rsk_ops->send_reset(sk, skb);
+ 	} else if (fastopen) { /* received a valid RST pkt */
+ 		reqsk_fastopen_remove(sk, req, true);
+diff -Nur a/net/ipv4/udp.c b/net/ipv4/udp.c
+--- a/net/ipv4/udp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/udp.c	2020-03-07 22:13:06.595302301 +0000
+@@ -128,10 +128,6 @@
+ #define MAX_UDP_PORTS 65536
+ #define PORTS_PER_CHAIN (MAX_UDP_PORTS / UDP_HTABLE_SIZE_MIN)
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ /* IPCB reference means this can not be used from early demux */
+ static bool udp_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
+ {
+@@ -2266,9 +2262,6 @@
+ 		goto csum_error;
+ 
+ 	__UDP_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (!likely(sysctl_stealth_blackhole) || (skb->dev->flags & IFF_LOOPBACK))
+-#endif
+ 	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+ 
+ 	/*
+diff -Nur a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+--- a/net/ipv6/icmp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/icmp.c	2020-03-07 22:16:58.198696714 +0000
+@@ -72,10 +72,6 @@
+ 
+ #include <linux/uaccess.h>
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ /*
+  *	The ICMP socket(s). This is the most convenient way to flow control
+  *	our ICMP output as well as maintain a clean interface throughout
+@@ -852,9 +848,6 @@
+ 
+ 	switch (type) {
+ 	case ICMPV6_ECHO_REQUEST:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+ 		if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
+ 			icmpv6_echo_reply(skb);
+ 		break;
+diff -Nur a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+--- a/net/ipv6/tcp_ipv6.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/tcp_ipv6.c	2020-03-07 22:20:43.832029273 +0000
+@@ -71,10 +71,6 @@
+ 
+ #include <trace/events/tcp.h>
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static void	tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb);
+ static void	tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
+ 				      struct request_sock *req);
+@@ -1360,10 +1356,6 @@
+ 	return 0;
+ 
+ reset:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (!likely(sysctl_stealth_blackhole))
+-#endif
+-
+ 	tcp_v6_send_reset(sk, skb);
+ discard:
+ 	if (opt_skb)
+@@ -1461,27 +1453,6 @@
+ 	if (!pskb_may_pull(skb, th->doff*4))
+ 		goto discard_it;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole) &&
+-	    (
+-			th->res1 || !tcp_flag_word(th) ||
+-			tcp_flag_word(th) == TCP_FLAG_PSH ||
+-			tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
+-			(
+-				tcp_flag_word(th) &
+-					(TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
+-				tcp_flag_word(th) & TCP_FLAG_URG
+-			) ||
+-			(
+-				tcp_flag_word(th) &
+-					(TCP_FLAG_FIN | TCP_FLAG_RST) &&
+-				tcp_flag_word(th) & TCP_FLAG_SYN
+-			)
+-		)
+-	)
+-		goto discard_it;
+-#endif
+-
+ 	if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo))
+ 		goto csum_error;
+ 
+@@ -1492,22 +1463,12 @@
+ 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th),
+ 				th->source, th->dest, inet6_iif(skb), sdif,
+ 				&refcounted);
+-	if (!sk) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		ret = 1;
+-#endif
+-
++	if (!sk)
+ 		goto no_tcp_socket;
+-	}
+ 
+ process:
+-	if (sk->sk_state == TCP_TIME_WAIT) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		ret = 2;
+-#endif
+-
++	if (sk->sk_state == TCP_TIME_WAIT)
+ 		goto do_time_wait;
+-	}
+ 
+ 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
+ 		struct request_sock *req = inet_reqsk(sk);
+@@ -1615,11 +1576,6 @@
+ bad_packet:
+ 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
+ 	} else {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		if (!sysctl_stealth_blackhole || (ret == 1 &&
+-						  (skb->dev->flags & IFF_LOOPBACK)))
+-#endif
+-
+ 		tcp_v6_send_reset(NULL, skb);
+ 	}
+ 
+diff -Nur a/net/ipv6/udp.c b/net/ipv6/udp.c
+--- a/net/ipv6/udp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/udp.c	2020-03-07 22:21:22.692605157 +0000
+@@ -56,10 +56,6 @@
+ #include <trace/events/skb.h>
+ #include "udp_impl.h"
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static bool udp6_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
+ {
+ #if defined(CONFIG_NET_L3_MASTER_DEV)
+@@ -867,9 +863,6 @@
+ 		goto csum_error;
+ 
+ 	__UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (!likely(sysctl_stealth_blackhole) || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+ 	icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
+ 
+ 	kfree_skb(skb);
+diff -Nur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig	2020-03-07 21:59:46.853570565 +0000
++++ b/security/Kconfig	2020-03-07 22:21:47.792977092 +0000
+@@ -345,38 +345,6 @@
+ 		enhances the random number generator.
+ 
+ 
+-config HARDENED_STEALTH_NETWORKING
+-	bool "Enable stealth networking [GRSECURITY]"
+-	default n
+-	depends on NET
+-	help
+-		If you say Y here, neither TCP resets nor ICMP
+-		destination-unreachable packets will be sent in response to packets
+-		sent to ports for which no associated listening process exists.
+-		This feature supports both IPV4 and IPV6 and exempts the
+-		loopback interface from blackholing.  Enabling this feature
+-		makes a host more resilient to DoS attacks and reduces network
+-		visibility against scanners.
+-
+-		The blackhole feature as-implemented is equivalent to the FreeBSD
+-		blackhole feature, as it prevents RST responses to all packets, not
+-		just SYNs.  Under most application behavior this causes no
+-		problems, but applications (like haproxy) may not close certain
+-		connections in a way that cleanly terminates them on the remote
+-		end, leaving the remote host in LAST_ACK state.  Because of this
+-		side-effect and to prevent intentional LAST_ACK DoSes, this
+-		feature also adds automatic mitigation against such attacks.
+-		The mitigation drastically reduces the amount of time a socket
+-		can spend in LAST_ACK state.  If you're using haproxy and not
+-		all servers it connects to have this option enabled, consider
+-		disabling this feature on the haproxy host.
+-
+-		If the sysctl option is enabled, a sysctl option with names
+-		"ip_blackhole" will be created.
+-		This sysctl, "ip_blackhole" takes the standard zero/non-zero
+-		on/off toggle to enable or disable this feature.
+-
+-
+ config HARDENED_NO_SIMULT_CONNECT
+ 	bool "Disable simultaneous TCP connections [GRSECURITY]"
+ 	default n
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/linux-image-redcore-lts-legacy-4.19.108.ebuild b/sys-kernel/linux-image-redcore-lts-legacy/linux-image-redcore-lts-legacy-4.19.108.ebuild
index f7975ac8..73ab24bc 100644
--- a/sys-kernel/linux-image-redcore-lts-legacy/linux-image-redcore-lts-legacy-4.19.108.ebuild
+++ b/sys-kernel/linux-image-redcore-lts-legacy/linux-image-redcore-lts-legacy-4.19.108.ebuild
@@ -41,6 +41,7 @@ PATCHES=(
 	"${FILESDIR}"/"${KV_MAJOR}"-nouveau-pascal-backlight.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-radeon_dp_aux_transfer_native-no-ratelimited_debug.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-linux-hardened.patch
+	"${FILESDIR}"/"${KV_MAJOR}"-linux-hardened-disable-stealth-networking.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-uksm-linux-hardened.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-0001-MultiQueue-Skiplist-Scheduler-version-v0.180-linux-hardened.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-0002-Fix-Werror-build-failure-in-tools.patch
diff --git a/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-amd64.config b/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-amd64.config
index 7dbc8f7a..a04d18cc 100644
--- a/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-amd64.config
+++ b/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-amd64.config
@@ -8749,7 +8749,6 @@ CONFIG_DEFAULT_SECURITY="apparmor"
 # Hardened Enhancements
 #
 CONFIG_HARDENED_RANDOM=y
-CONFIG_HARDENED_STEALTH_NETWORKING=y
 CONFIG_HARDENED_NO_SIMULT_CONNECT=y
 CONFIG_HARDENED_SYSFS_RESTRICT=y
 CONFIG_HARDENED_FIFO=y
diff --git a/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch b/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
new file mode 100644
index 00000000..d290f937
--- /dev/null
+++ b/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
@@ -0,0 +1,426 @@
+diff -Nur a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
+--- a/include/uapi/linux/ip.h	2020-03-07 21:59:46.833570272 +0000
++++ b/include/uapi/linux/ip.h	2020-03-07 22:06:28.909470648 +0000
+@@ -66,9 +66,6 @@
+ 
+ #define IPVERSION	4
+ #define MAXTTL		255
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-#define IPDEFTTL	128
+-#else
+ #define IPDEFTTL	64
+ #endif
+ 
+diff -Nur a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
+--- a/net/core/sysctl_net_core.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/core/sysctl_net_core.c	2020-03-07 22:07:10.190076177 +0000
+@@ -36,10 +36,6 @@
+ int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0;
+ EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net);
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-int sysctl_stealth_blackhole __read_mostly = 1;
+-#endif
+-
+ #ifdef CONFIG_RPS
+ static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
+ 				void __user *buffer, size_t *lenp, loff_t *ppos)
+@@ -509,17 +505,6 @@
+ 		.proc_handler	= set_default_qdisc
+ 	},
+ #endif
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	{
+-		.procname	= "ip_blackhole",
+-		.data		= &sysctl_stealth_blackhole,
+-		.maxlen		= sizeof(int),
+-		.mode		= 0644,
+-		.proc_handler   = proc_dointvec_minmax,
+-		.extra1		= &zero,
+-		.extra2		= &one,
+-	},
+-#endif
+ #endif /* CONFIG_NET */
+ 	{
+ 		.procname	= "netdev_budget",
+diff -Nur a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+--- a/net/ipv4/icmp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/icmp.c	2020-03-07 22:08:25.271177396 +0000
+@@ -195,10 +195,6 @@
+ 	short   error;		/* This ICMP is classed as an error message */
+ };
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1];
+ 
+ /*
+@@ -938,11 +934,6 @@
+ {
+ 	struct net *net;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
+-		return true;
+-#endif
+-
+ 	net = dev_net(skb_dst(skb)->dev);
+ 	if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
+ 		struct icmp_bxm icmp_param;
+@@ -970,11 +961,6 @@
+ {
+ 	struct icmp_bxm icmp_param;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
+-		return true;
+-#endif
+-
+ 	/*
+ 	 *	Too short.
+ 	 */
+diff -Nur a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/igmp.c	2020-03-07 22:09:13.161879736 +0000
+@@ -136,10 +136,6 @@
+ 	 ((in_dev)->mr_v2_seen && \
+ 	  time_before(jiffies, (in_dev)->mr_v2_seen)))
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static int unsolicited_report_interval(struct in_device *in_dev)
+ {
+ 	int interval_ms, interval_jiffies;
+@@ -741,11 +737,6 @@
+ 	__be32	dst;
+ 	int hlen, tlen;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole))
+-		return -1;
+-#endif
+-
+ 	if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
+ 		return igmpv3_send_report(in_dev, pmc);
+ 
+diff -Nur a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+--- a/net/ipv4/tcp_ipv4.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/tcp_ipv4.c	2020-03-07 22:12:16.564568875 +0000
+@@ -95,10 +95,6 @@
+ struct inet_hashinfo tcp_hashinfo;
+ EXPORT_SYMBOL(tcp_hashinfo);
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static u32 tcp_v4_init_seq(const struct sk_buff *skb)
+ {
+ 	return secure_tcp_seq(ip_hdr(skb)->daddr,
+@@ -1565,9 +1561,6 @@
+ 	return 0;
+ 
+ reset:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (!likely(sysctl_stealth_blackhole))
+-#endif
+ 	tcp_v4_send_reset(rsk, skb);
+ discard:
+ 	kfree_skb(skb);
+@@ -1716,27 +1709,6 @@
+ 	if (!pskb_may_pull(skb, th->doff * 4))
+ 		goto discard_it;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole) &&
+-	    (
+-			th->res1 || !tcp_flag_word(th) ||
+-			tcp_flag_word(th) == TCP_FLAG_PSH ||
+-			tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
+-			(
+-				tcp_flag_word(th) &
+-					(TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
+-				tcp_flag_word(th) & TCP_FLAG_URG
+-			) ||
+-			(
+-				tcp_flag_word(th) &
+-					(TCP_FLAG_FIN | TCP_FLAG_RST) &&
+-				tcp_flag_word(th) & TCP_FLAG_SYN
+-			)
+-		)
+-	)
+-		goto discard_it;
+-#endif
+-
+ 	/* An explanation is required here, I think.
+ 	 * Packet length and doff are validated by header prediction,
+ 	 * provided case of th->doff==0 is eliminated.
+@@ -1750,22 +1722,12 @@
+ lookup:
+ 	sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source,
+ 			       th->dest, sdif, &refcounted);
+-	if (!sk) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		ret = 1;
+-#endif
+-
++	if (!sk)
+ 		goto no_tcp_socket;
+-	}
+ 
+ process:
+-	if (sk->sk_state == TCP_TIME_WAIT) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		ret = 2;
+-#endif
+-
++	if (sk->sk_state == TCP_TIME_WAIT)
+ 		goto do_time_wait;
+-	}
+ 
+ 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
+ 		struct request_sock *req = inet_reqsk(sk);
+@@ -1879,10 +1841,6 @@
+ bad_packet:
+ 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
+ 	} else {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		if (!sysctl_stealth_blackhole || (ret == 1 &&
+-						  (skb->dev->flags & IFF_LOOPBACK)))
+-#endif
+ 
+ 		tcp_v4_send_reset(NULL, skb);
+ 	}
+diff -Nur a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
+--- a/net/ipv4/tcp_minisocks.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/tcp_minisocks.c	2020-03-07 22:12:39.754908842 +0000
+@@ -29,10 +29,6 @@
+ #include <net/xfrm.h>
+ #include <net/busy_poll.h>
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win)
+ {
+ 	if (seq == s_win)
+@@ -813,10 +809,6 @@
+ 		 * avoid becoming vulnerable to outside attack aiming at
+ 		 * resetting legit local connections.
+ 		 */
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+-
+ 		req->rsk_ops->send_reset(sk, skb);
+ 	} else if (fastopen) { /* received a valid RST pkt */
+ 		reqsk_fastopen_remove(sk, req, true);
+diff -Nur a/net/ipv4/udp.c b/net/ipv4/udp.c
+--- a/net/ipv4/udp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/udp.c	2020-03-07 22:13:06.595302301 +0000
+@@ -128,10 +128,6 @@
+ #define MAX_UDP_PORTS 65536
+ #define PORTS_PER_CHAIN (MAX_UDP_PORTS / UDP_HTABLE_SIZE_MIN)
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ /* IPCB reference means this can not be used from early demux */
+ static bool udp_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
+ {
+@@ -2266,9 +2262,6 @@
+ 		goto csum_error;
+ 
+ 	__UDP_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (!likely(sysctl_stealth_blackhole) || (skb->dev->flags & IFF_LOOPBACK))
+-#endif
+ 	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+ 
+ 	/*
+diff -Nur a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+--- a/net/ipv6/icmp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/icmp.c	2020-03-07 22:16:58.198696714 +0000
+@@ -72,10 +72,6 @@
+ 
+ #include <linux/uaccess.h>
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ /*
+  *	The ICMP socket(s). This is the most convenient way to flow control
+  *	our ICMP output as well as maintain a clean interface throughout
+@@ -852,9 +848,6 @@
+ 
+ 	switch (type) {
+ 	case ICMPV6_ECHO_REQUEST:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+ 		if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
+ 			icmpv6_echo_reply(skb);
+ 		break;
+diff -Nur a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+--- a/net/ipv6/tcp_ipv6.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/tcp_ipv6.c	2020-03-07 22:20:43.832029273 +0000
+@@ -71,10 +71,6 @@
+ 
+ #include <trace/events/tcp.h>
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static void	tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb);
+ static void	tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
+ 				      struct request_sock *req);
+@@ -1360,10 +1356,6 @@
+ 	return 0;
+ 
+ reset:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (!likely(sysctl_stealth_blackhole))
+-#endif
+-
+ 	tcp_v6_send_reset(sk, skb);
+ discard:
+ 	if (opt_skb)
+@@ -1461,27 +1453,6 @@
+ 	if (!pskb_may_pull(skb, th->doff*4))
+ 		goto discard_it;
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (likely(sysctl_stealth_blackhole) &&
+-	    (
+-			th->res1 || !tcp_flag_word(th) ||
+-			tcp_flag_word(th) == TCP_FLAG_PSH ||
+-			tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
+-			(
+-				tcp_flag_word(th) &
+-					(TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
+-				tcp_flag_word(th) & TCP_FLAG_URG
+-			) ||
+-			(
+-				tcp_flag_word(th) &
+-					(TCP_FLAG_FIN | TCP_FLAG_RST) &&
+-				tcp_flag_word(th) & TCP_FLAG_SYN
+-			)
+-		)
+-	)
+-		goto discard_it;
+-#endif
+-
+ 	if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo))
+ 		goto csum_error;
+ 
+@@ -1492,22 +1463,12 @@
+ 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th),
+ 				th->source, th->dest, inet6_iif(skb), sdif,
+ 				&refcounted);
+-	if (!sk) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		ret = 1;
+-#endif
+-
++	if (!sk)
+ 		goto no_tcp_socket;
+-	}
+ 
+ process:
+-	if (sk->sk_state == TCP_TIME_WAIT) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		ret = 2;
+-#endif
+-
++	if (sk->sk_state == TCP_TIME_WAIT)
+ 		goto do_time_wait;
+-	}
+ 
+ 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
+ 		struct request_sock *req = inet_reqsk(sk);
+@@ -1615,11 +1576,6 @@
+ bad_packet:
+ 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
+ 	} else {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-		if (!sysctl_stealth_blackhole || (ret == 1 &&
+-						  (skb->dev->flags & IFF_LOOPBACK)))
+-#endif
+-
+ 		tcp_v6_send_reset(NULL, skb);
+ 	}
+ 
+diff -Nur a/net/ipv6/udp.c b/net/ipv6/udp.c
+--- a/net/ipv6/udp.c	2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/udp.c	2020-03-07 22:21:22.692605157 +0000
+@@ -56,10 +56,6 @@
+ #include <trace/events/skb.h>
+ #include "udp_impl.h"
+ 
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static bool udp6_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
+ {
+ #if defined(CONFIG_NET_L3_MASTER_DEV)
+@@ -867,9 +863,6 @@
+ 		goto csum_error;
+ 
+ 	__UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-	if (!likely(sysctl_stealth_blackhole) || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+ 	icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
+ 
+ 	kfree_skb(skb);
+diff -Nur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig	2020-03-07 21:59:46.853570565 +0000
++++ b/security/Kconfig	2020-03-07 22:21:47.792977092 +0000
+@@ -345,38 +345,6 @@
+ 		enhances the random number generator.
+ 
+ 
+-config HARDENED_STEALTH_NETWORKING
+-	bool "Enable stealth networking [GRSECURITY]"
+-	default n
+-	depends on NET
+-	help
+-		If you say Y here, neither TCP resets nor ICMP
+-		destination-unreachable packets will be sent in response to packets
+-		sent to ports for which no associated listening process exists.
+-		This feature supports both IPV4 and IPV6 and exempts the
+-		loopback interface from blackholing.  Enabling this feature
+-		makes a host more resilient to DoS attacks and reduces network
+-		visibility against scanners.
+-
+-		The blackhole feature as-implemented is equivalent to the FreeBSD
+-		blackhole feature, as it prevents RST responses to all packets, not
+-		just SYNs.  Under most application behavior this causes no
+-		problems, but applications (like haproxy) may not close certain
+-		connections in a way that cleanly terminates them on the remote
+-		end, leaving the remote host in LAST_ACK state.  Because of this
+-		side-effect and to prevent intentional LAST_ACK DoSes, this
+-		feature also adds automatic mitigation against such attacks.
+-		The mitigation drastically reduces the amount of time a socket
+-		can spend in LAST_ACK state.  If you're using haproxy and not
+-		all servers it connects to have this option enabled, consider
+-		disabling this feature on the haproxy host.
+-
+-		If the sysctl option is enabled, a sysctl option with names
+-		"ip_blackhole" will be created.
+-		This sysctl, "ip_blackhole" takes the standard zero/non-zero
+-		on/off toggle to enable or disable this feature.
+-
+-
+ config HARDENED_NO_SIMULT_CONNECT
+ 	bool "Disable simultaneous TCP connections [GRSECURITY]"
+ 	default n
diff --git a/sys-kernel/linux-sources-redcore-lts-legacy/linux-sources-redcore-lts-legacy-4.19.108.ebuild b/sys-kernel/linux-sources-redcore-lts-legacy/linux-sources-redcore-lts-legacy-4.19.108.ebuild
index 2f7dc850..b50fa254 100644
--- a/sys-kernel/linux-sources-redcore-lts-legacy/linux-sources-redcore-lts-legacy-4.19.108.ebuild
+++ b/sys-kernel/linux-sources-redcore-lts-legacy/linux-sources-redcore-lts-legacy-4.19.108.ebuild
@@ -35,6 +35,7 @@ PATCHES=(
 	"${FILESDIR}"/"${KV_MAJOR}"-nouveau-pascal-backlight.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-radeon_dp_aux_transfer_native-no-ratelimited_debug.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-linux-hardened.patch
+	"${FILESDIR}"/"${KV_MAJOR}"-linux-hardened-disable-stealth-networking.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-uksm-linux-hardened.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-0001-MultiQueue-Skiplist-Scheduler-version-v0.180-linux-hardened.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-0002-Fix-Werror-build-failure-in-tools.patch