feat(socket): add TcpSaveSyn and TcpSavedSyn sockopts for Linux

Add typed setsockopt/getsockopt wrappers for TCP_SAVE_SYN (27) and
TCP_SAVED_SYN (28), Linux-only socket options used for passive TCP
fingerprinting (p0f).

TcpSaveSyn is set on a listening socket to instruct the kernel to save
a copy of each client SYN packet. TcpSavedSyn retrieves those raw IP +
TCP header bytes from the accepted socket, enabling passive OS
fingerprinting without active probing.

Author: rupert648

changelog/2760.added.md

@@ -0,0 +1,4 @@
+Added `TcpSaveSyn` and `TcpSavedSyn` socket options for Linux. `TcpSaveSyn`
+enables saving a copy of the client SYN packet on a listening socket;
+`TcpSavedSyn` retrieves the raw IP+TCP header bytes from the accepted socket.
+Useful for passive TCP fingerprinting (p0f).

src/sys/socket/sockopt.rs

@@ -248,6 +248,13 @@ macro_rules! sockopt_impl {
                       $crate::sys::socket::sockopt::SetOsString);
     };
 
+    ($(#[$attr:meta])* $name:ident, GetOnly, $level:expr, $flag:path,
+     OsString<$array:ty>) =>
+    {
+        sockopt_impl!($(#[$attr])*
+                      $name, GetOnly, $level, $flag, std::ffi::OsString, $crate::sys::socket::sockopt::GetOsString<$array>);
+    };
+
     /*
      * Matchers with generic getter types must be placed at the end, so
      * they'll only match _after_ specialized matchers fail
@@ -762,6 +769,42 @@ sockopt_impl!(
     libc::TCP_REPAIR,
     u32
 );
+#[cfg(linux_android)]
+#[cfg(feature = "net")]
+sockopt_impl!(
+    #[cfg_attr(docsrs, doc(cfg(all(feature = "net", target_os = "linux"))))]
+    /// If enabled, the kernel saves a copy of the SYN packet for each
+    /// accepted connection. The saved packet can be retrieved on the
+    /// accepted socket via [`TcpSavedSyn`]. Must be set on the listening
+    /// socket before `accept()` is called.
+    ///
+    /// See `tcp(7)` and `TCP_SAVE_SYN` in the Linux kernel documentation.
+    TcpSaveSyn,
+    Both,
+    libc::IPPROTO_TCP,
+    libc::TCP_SAVE_SYN,
+    bool
+);
+/// Maximum buffer size for a saved SYN packet retrieved via [`TcpSavedSyn`].
+/// Theoretically capped at 120 bytes (max IPv4/IPv6 header + max TCP header),
+/// but set to 512 to accommodate kernel variations (e.g. Azure-patched kernels)
+/// that may store additional bytes.
+#[cfg(linux_android)]
+pub const TCP_SAVED_SYN_MAX: usize = 512;
+
+#[cfg(linux_android)]
+#[cfg(feature = "net")]
+sockopt_impl!(
+    #[cfg_attr(docsrs, doc(cfg(all(feature = "net", target_os = "linux"))))]
+    /// Retrieves the SYN packet saved by [`TcpSaveSyn`] on the listening
+    /// socket. Returns the raw IP + TCP headers from the client's initial SYN
+    /// as bytes. Returns an empty value if no SYN was saved.
+    TcpSavedSyn,
+    GetOnly,
+    libc::IPPROTO_TCP,
+    libc::TCP_SAVED_SYN,
+    OsString<[u8; TCP_SAVED_SYN_MAX]>
+);
 #[cfg(not(any(
     target_os = "openbsd",
     target_os = "haiku",

test/sys/test_sockopt.rs

@@ -1270,3 +1270,64 @@ pub fn test_so_attach_reuseport_cbpf() {
         assert_eq!(e, nix::errno::Errno::ENOPROTOOPT);
     });
 }
+
+/// Test that TCP_SAVE_SYN can be set and read back on a listening socket, and
+/// that TCP_SAVED_SYN returns the raw SYN bytes on an accepted connection.
+#[test]
+#[cfg(linux_android)]
+#[cfg_attr(qemu, ignore)]
+fn test_tcp_save_syn() {
+    use nix::sys::socket::{
+        accept, bind, connect, getsockopt, listen, setsockopt, socket, sockopt,
+        AddressFamily, Backlog, SockFlag, SockProtocol, SockType, SockaddrIn,
+    };
+    use std::net::SocketAddrV4;
+    use std::os::fd::{FromRawFd, OwnedFd};
+    use std::str::FromStr;
+
+    // Create a listening socket and enable TCP_SAVE_SYN.
+    let listener = socket(
+        AddressFamily::Inet,
+        SockType::Stream,
+        SockFlag::empty(),
+        SockProtocol::Tcp,
+    )
+    .unwrap();
+
+    setsockopt(&listener, sockopt::ReuseAddr, &true).unwrap();
+    setsockopt(&listener, sockopt::TcpSaveSyn, &true).unwrap();
+    assert!(getsockopt(&listener, sockopt::TcpSaveSyn).unwrap());
+
+    let addr = SockaddrIn::from(SocketAddrV4::from_str("127.0.0.1:0").unwrap());
+    bind(listener.as_raw_fd(), &addr).unwrap();
+    listen(&listener, Backlog::new(1).unwrap()).unwrap();
+
+    // Determine the bound port.
+    let bound: SockaddrIn =
+        nix::sys::socket::getsockname(listener.as_raw_fd()).unwrap();
+
+    // Connect a client.
+    let client = socket(
+        AddressFamily::Inet,
+        SockType::Stream,
+        SockFlag::empty(),
+        SockProtocol::Tcp,
+    )
+    .unwrap();
+    connect(client.as_raw_fd(), &bound).unwrap();
+
+    // Accept the connection and verify TCP_SAVED_SYN returns SYN bytes.
+    let conn_fd = accept(listener.as_raw_fd()).unwrap();
+    let conn = unsafe { OwnedFd::from_raw_fd(conn_fd) };
+
+    let syn_bytes = getsockopt(&conn, sockopt::TcpSavedSyn).unwrap();
+    // The saved SYN must contain at least the IP and TCP fixed headers.
+    assert!(
+        !syn_bytes.is_empty(),
+        "TCP_SAVED_SYN should return SYN packet bytes"
+    );
+
+    // Disable TCP_SAVE_SYN and verify it reads back as false.
+    setsockopt(&listener, sockopt::TcpSaveSyn, &false).unwrap();
+    assert!(!getsockopt(&listener, sockopt::TcpSaveSyn).unwrap());
+}