MAJOR: config: prevent QUIC with clients privileged port by default

Previous commit introduce new protection mechanism to forbid
communications with clients which use a privileged source port. By
default, this mechanism is disabled for every protocols.

This patch changes the default value and activate the protection
mechanism for QUIC protocol. This is justified as it is a probable sign
of DNS/NTP amplification attack.

This is labelled as major as it can be a breaking change with some
network environments.

doc/configuration.txt

@@ -1950,7 +1950,9 @@ harden.reject-privileged-ports.tcp { on | off }
 harden.reject-privileged-ports.quic { on | off }
   Toggle per protocol protection which forbid communication with clients which
   use privileged ports as their source port. This range of ports is defined
-  according to RFC 6335. Protection is inactive by default on both protocols.
+  according to RFC 6335. By default, protection is active for QUIC protocol as
+  this behavior is suspicious and may be used as a spoofing or DNS/NTP
+  amplification attack.
 
 http-err-codes [+-]<range>[,...] [...]
   Replace, reduce or extend the list of status codes that define an error as

src/haproxy.c

@@ -210,8 +210,8 @@ struct global global = {
 	.maxsslconn = DEFAULT_MAXSSLCONN,
 #endif
 #endif
-	/* by default do not protect against clients using privileged port */
+	/* by default allow clients which use a privileged port for TCP only */
-	.clt_privileged_ports = HA_PROTO_ANY,
+	.clt_privileged_ports = HA_PROTO_TCP,
 	/* others NULL OK */
 };