tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[PATCH] IP_MINTTL (was: Re: IP_RECVTTL)



At Wed, 8 Jul 2009 19:13:30 -0400,
matthew sporleder <msporleder%gmail.com@localhost> wrote:
> 
> While trying to compile liboping on netbsd I ran into a lack of
> IP_RECVTTL and noticed that freebsd did have this and a few other
> things defined in in.h:
> 
>     469 #define       IP_RECVTTL              65   /* bool; receive IP TTL 
> w/dgram */
>     470 #define       IP_MINTTL               66   /* minimum TTL for packet 
> or drop */
>     471 #define       IP_DONTFRAG             67   /* don't fragment packet */

The following is a patch to add IP_MINTTL.

diff --git a/share/man/man4/ip.4 b/share/man/man4/ip.4
index 35f9821..92b6b1a 100644
--- a/share/man/man4/ip.4
+++ b/share/man/man4/ip.4
@@ -186,6 +186,20 @@ cmsg_len = sizeof(uint8_t)
 cmsg_level = IPPROTO_IP
 cmsg_type = IP_RECVTTL
 .Ed
+.Pp
+The
+.Dv IP_MINTTL
+option may be used on
+.Dv SOCK_STREAM
+sockets to discard packets with a TTL lower than the option value.
+This can be used to implement the
+.Em Generalized TTL Security Mechanism (GTSM)
+according to RFC 3682.
+To discard all packets with a TTL lower than 255:
+.Bd -literal -offset indent
+int minttl = 255;
+setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
+.Ed
 .Ss MULTICAST OPTIONS
 .Tn IP
 multicasting is supported only on
diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 37dfb21..4f963d4 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -283,6 +283,7 @@ struct ip_opts {
 #define        IP_IPSEC_POLICY         22 /* struct; get/set security policy */
 #endif
 #define        IP_RECVTTL              23   /* bool; receive IP TTL w/dgram */
+#define        IP_MINTTL               24   /* minimum TTL for packet or drop 
*/
 
 /*
  * Defaults and limits for options
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index bd39dbb..9d0a8a3 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -91,6 +91,7 @@ struct inpcb {
        struct    mbuf *inp_options;    /* IP options */
        struct    ip_moptions *inp_moptions; /* IP multicast options */
        int       inp_errormtu;         /* MTU of last xmit status = EMSGSIZE */
+       uint8_t   inp_ip_minttl;
 };
 
 #define        inp_faddr       inp_ip.ip_dst
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 82b9f4b..a4147c3 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1223,6 +1223,7 @@ ip_ctloutput(int op, struct socket *so, struct sockopt 
*sopt)
 
                case IP_TOS:
                case IP_TTL:
+               case IP_MINTTL:
                case IP_RECVOPTS:
                case IP_RECVRETOPTS:
                case IP_RECVDSTADDR:
@@ -1240,6 +1241,13 @@ ip_ctloutput(int op, struct socket *so, struct sockopt 
*sopt)
                        case IP_TTL:
                                inp->inp_ip.ip_ttl = optval;
                                break;
+
+                       case IP_MINTTL:
+                               if (optval > 0 && optval <= MAXTTL)
+                                       inp->inp_ip_minttl = optval;
+                               else
+                                       error = EINVAL;
+                               break;
 #define        OPTSET(bit) \
        if (optval) \
                inp->inp_flags |= bit; \
@@ -1335,6 +1343,7 @@ ip_ctloutput(int op, struct socket *so, struct sockopt 
*sopt)
 
                case IP_TOS:
                case IP_TTL:
+               case IP_MINTTL:
                case IP_RECVOPTS:
                case IP_RECVRETOPTS:
                case IP_RECVDSTADDR:
@@ -1350,6 +1359,10 @@ ip_ctloutput(int op, struct socket *so, struct sockopt 
*sopt)
                                optval = inp->inp_ip.ip_ttl;
                                break;
 
+                       case IP_MINTTL:
+                               optval = inp->inp_ip_minttl;
+                               break;
+
                        case IP_ERRORMTU:
                                optval = inp->inp_errormtu;
                                break;
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 6da7591..bf877fd 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1289,6 +1289,10 @@ findpcb:
 #endif
        }
 
+       /* Check the minimum TTL for socket. */
+       if (ip->ip_ttl < inp->inp_ip_minttl)
+               goto drop;
+
        /*
         * If the state is CLOSED (i.e., TCB does not exist) then
         * all data in the incoming segment is discarded.


-- 
Min Sik Kim


Home | Main Index | Thread Index | Old Index