Add new sysctl (net.inet.tcp.log_refused) that when set, causes refused TCP

connections to be logged.

lib/libc/gen/sysctl.3

@@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.3,v 1.34 1999/03/09 19:45:09 erh Exp $
+.\"	$NetBSD: sysctl.3,v 1.35 1999/05/23 20:33:51 ad Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -564,6 +564,7 @@ The currently defined protocols and names are:
 .It tcp keepcnt	integer	yes
 .It tcp	slowhz	integer	no
 .It tcp	newreno	integer	yes
+.It tcp	log_refused	integer	yes
 .It udp	checksum	integer	yes
 .It udp	sendspace	integer	yes
 .It udp	recvspace	integer	yes
@@ -685,6 +686,8 @@ must be divided by the tcp.slowhz value to get times in seconds.)
 .It Li tcp.newreno
 Returns 1 if the use of J. Hoe's NewReno congestion control algorithm is
 enabled.  This algorithm improves the start-up behavior of TCP connections.
+.It Li tcp.log_refused
+When set to 1, all refused TCP connections to the host are logged.
 .It Li udp.checksum
 Returns 1 when UDP checksums are being computed and checked.
 Disabling UDP checksums is strongly discouraged.

sys/netinet/tcp_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.81 1999/05/03 23:30:27 thorpej Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.82 1999/05/23 20:33:50 ad Exp $	*/
 
 /*-
  * Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
@@ -112,6 +112,7 @@
 #include <machine/stdarg.h>
 
 int	tcprexmtthresh = 3;
+int	tcp_log_refused;
 struct	tcpiphdr tcp_saveti;
 
 #define TCP_PAWS_IDLE	(24 * 24 * 60 * 60 * PR_SLOWHZ)
@@ -549,6 +550,14 @@ findpcb:
 		inp = in_pcblookup_bind(&tcbtable, ti->ti_dst, ti->ti_dport);
 		if (inp == 0) {
 			++tcpstat.tcps_noport;
+			if (tcp_log_refused && (tiflags & TH_SYN)) {
+				char buf[4*sizeof "123"];
+				strcpy(buf, inet_ntoa(ti->ti_dst));
+				log(LOG_INFO,
+				    "Connection attempt to TCP %s:%d from %s:%d\n",
+				    buf, ntohs(ti->ti_dport), inet_ntoa(ti->ti_src),
+				    ntohs(ti->ti_sport));
+			}
 			goto dropwithreset;
 		}
 	}

sys/netinet/tcp_var.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_var.h,v 1.59 1999/04/29 03:54:23 thorpej Exp $	*/
+/*	$NetBSD: tcp_var.h,v 1.60 1999/05/23 20:33:51 ad Exp $	*/
 
 /*-
  * Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
@@ -455,7 +455,8 @@ struct	tcpstat {
 #define	TCPCTL_KEEPCNT		19	/* keepalive count */
 #define	TCPCTL_SLOWHZ		20	/* PR_SLOWHZ (read-only) */
 #define	TCPCTL_NEWRENO		21	/* NewReno Congestion Control */
-#define	TCPCTL_MAXID		22
+#define TCPCTL_LOG_REFUSED	22	/* Log refused connections */
+#define	TCPCTL_MAXID		23
 
 #define	TCPCTL_NAMES { \
 	{ 0, 0 }, \
@@ -480,6 +481,7 @@ struct	tcpstat {
 	{ "keepcnt",	CTLTYPE_INT }, \
 	{ "slowhz",	CTLTYPE_INT }, \
 	{ "newreno",	CTLTYPE_INT }, \
+	{ "log_refused",CTLTYPE_INT }, \
 }
 
 #ifdef _KERNEL
@@ -501,6 +503,7 @@ extern	int tcp_ack_on_push;	/* ACK immediately on PUSH */
 extern	int tcp_syn_cache_limit; /* max entries for compressed state engine */
 extern	int tcp_syn_bucket_limit;/* max entries per hash bucket */
 extern	int tcp_syn_cache_interval; /* compressed state timer */
+extern	int tcp_log_refused;	/* log refused connections */
 
 extern	int tcp_syn_cache_size;
 extern	struct syn_cache_head tcp_syn_cache[];
@@ -529,6 +532,7 @@ extern	u_long syn_cache_count;
 	{ 1, 0, &tcp_keepcnt },			\
 	{ 1, 1, 0, PR_SLOWHZ },			\
 	{ 1, 0, &tcp_do_newreno },		\
+	{ 1, 0, &tcp_log_refused },		\
 }
 
 int	 tcp_attach __P((struct socket *));

usr.sbin/sysctl/sysctl.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.8,v 1.28 1999/04/26 22:13:52 thorpej Exp $
+.\"	$NetBSD: sysctl.8,v 1.29 1999/05/23 20:33:51 ad Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -180,6 +180,7 @@ privilege can change the value.
 .It net.inet.tcp.keepintvl	integer	yes
 .It net.inet.tcp.keepcnt	integer	yes
 .It net.inet.tcp.slowhz	integer	no
+.It net.inet.tcp.log_refused	integer	yes
 .It net.inet.udp.checksum	integer	yes
 .It net.inet.udp.sendspace	integer	yes
 .It net.inet.udp.recvspace	integer	yes