From 13d7ac3363afda471f75c6d1d4b4d0fa8fb44928 Mon Sep 17 00:00:00 2001
From: Samuel Martin <samuel.martin@netatmo.com>
Date: Thu, 30 Jun 2022 17:27:09 +0200
Subject: [PATCH] ip4: tcp: send zero IP_ID for small packets

... especially the TCP control ones (SYNACK, RST, etc).

This change makes the system useless as a zombie machine in idle-scan
attempts.

This approach is inspired by what is done in other network stack (such
as the linux kernel one).

This approach is a low-cost CPU solution, compared to generating a
random IP ID value for every single IP packet.

See patch #10270

Signed-off-by: Samuel Martin <samuel.martin@netatmo.com>
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
---
 src/core/ipv4/ip4.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/core/ipv4/ip4.c b/src/core/ipv4/ip4.c
index e044bff2..b382e808 100644
--- a/src/core/ipv4/ip4.c
+++ b/src/core/ipv4/ip4.c
@@ -961,11 +961,21 @@ ip4_output_if_opt_src(struct pbuf *p, const ip4_addr_t *src, const ip4_addr_t *d
     chk_sum += iphdr->_len;
 #endif /* CHECKSUM_GEN_IP_INLINE */
     IPH_OFFSET_SET(iphdr, 0);
-    IPH_ID_SET(iphdr, lwip_htons(ip_id));
+    if ((proto == IP_PROTO_TCP) && (p->tot_len <= IP4_MIN_MTU_LENGTH))
+    {
+      /* For small TCP packets, e.g. protocol handshake,
+       * do not bother generating IP_ID (just use 0 ip_id)
+       */
+      IPH_ID_SET(iphdr, lwip_htons(0));
+    }
+    else
+    {
+      IPH_ID_SET(iphdr, lwip_htons(ip_id));
+      ++ip_id;
+    }
 #if CHECKSUM_GEN_IP_INLINE
     chk_sum += iphdr->_id;
 #endif /* CHECKSUM_GEN_IP_INLINE */
-    ++ip_id;
 
     if (src == NULL) {
       ip4_addr_copy(iphdr->src, *IP4_ADDR_ANY4);