IIRC it lets you make rules that send an inbound packet to ACCEPT only if something is listening on the destination port. If nothing is listening on the destination port the packet is instead sent to DROP.
EDIT: I wasn't sure whether my memory was working properly and I didn't wanna be giving you wrong information so I downloaded the
grsecurity-2.1.11-2.4.36.2-200804211830.patch.gz file to have a look and it confirms that this is indeed what it does. I quote from the patch itself:
Code:
+CONFIG_IP_NF_MATCH_STEALTH
+ Enabling this option will drop all syn packets coming to unserved tcp
+ ports as well as all packets coming to unserved udp ports. If you
+ are using your system to route any type of packets (ie. via NAT)
+ you should put this module at the end of your ruleset, since it will
+ drop packets that aren't going to ports that are listening on your
+ machine itself, it doesn't take into account that the packet might be
+ destined for someone on your internal network if you're using NAT for
+ instance.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.