tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[PATCH] IP_MINTTL (was: Re: IP_RECVTTL)
At Wed, 8 Jul 2009 19:13:30 -0400,
matthew sporleder <msporleder%gmail.com@localhost> wrote:
>
> While trying to compile liboping on netbsd I ran into a lack of
> IP_RECVTTL and noticed that freebsd did have this and a few other
> things defined in in.h:
>
> 469 #define IP_RECVTTL 65 /* bool; receive IP TTL
> w/dgram */
> 470 #define IP_MINTTL 66 /* minimum TTL for packet
> or drop */
> 471 #define IP_DONTFRAG 67 /* don't fragment packet */
The following is a patch to add IP_MINTTL.
diff --git a/share/man/man4/ip.4 b/share/man/man4/ip.4
index 35f9821..92b6b1a 100644
--- a/share/man/man4/ip.4
+++ b/share/man/man4/ip.4
@@ -186,6 +186,20 @@ cmsg_len = sizeof(uint8_t)
cmsg_level = IPPROTO_IP
cmsg_type = IP_RECVTTL
.Ed
+.Pp
+The
+.Dv IP_MINTTL
+option may be used on
+.Dv SOCK_STREAM
+sockets to discard packets with a TTL lower than the option value.
+This can be used to implement the
+.Em Generalized TTL Security Mechanism (GTSM)
+according to RFC 3682.
+To discard all packets with a TTL lower than 255:
+.Bd -literal -offset indent
+int minttl = 255;
+setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
+.Ed
.Ss MULTICAST OPTIONS
.Tn IP
multicasting is supported only on
diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 37dfb21..4f963d4 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -283,6 +283,7 @@ struct ip_opts {
#define IP_IPSEC_POLICY 22 /* struct; get/set security policy */
#endif
#define IP_RECVTTL 23 /* bool; receive IP TTL w/dgram */
+#define IP_MINTTL 24 /* minimum TTL for packet or drop
*/
/*
* Defaults and limits for options
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index bd39dbb..9d0a8a3 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -91,6 +91,7 @@ struct inpcb {
struct mbuf *inp_options; /* IP options */
struct ip_moptions *inp_moptions; /* IP multicast options */
int inp_errormtu; /* MTU of last xmit status = EMSGSIZE */
+ uint8_t inp_ip_minttl;
};
#define inp_faddr inp_ip.ip_dst
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 82b9f4b..a4147c3 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1223,6 +1223,7 @@ ip_ctloutput(int op, struct socket *so, struct sockopt
*sopt)
case IP_TOS:
case IP_TTL:
+ case IP_MINTTL:
case IP_RECVOPTS:
case IP_RECVRETOPTS:
case IP_RECVDSTADDR:
@@ -1240,6 +1241,13 @@ ip_ctloutput(int op, struct socket *so, struct sockopt
*sopt)
case IP_TTL:
inp->inp_ip.ip_ttl = optval;
break;
+
+ case IP_MINTTL:
+ if (optval > 0 && optval <= MAXTTL)
+ inp->inp_ip_minttl = optval;
+ else
+ error = EINVAL;
+ break;
#define OPTSET(bit) \
if (optval) \
inp->inp_flags |= bit; \
@@ -1335,6 +1343,7 @@ ip_ctloutput(int op, struct socket *so, struct sockopt
*sopt)
case IP_TOS:
case IP_TTL:
+ case IP_MINTTL:
case IP_RECVOPTS:
case IP_RECVRETOPTS:
case IP_RECVDSTADDR:
@@ -1350,6 +1359,10 @@ ip_ctloutput(int op, struct socket *so, struct sockopt
*sopt)
optval = inp->inp_ip.ip_ttl;
break;
+ case IP_MINTTL:
+ optval = inp->inp_ip_minttl;
+ break;
+
case IP_ERRORMTU:
optval = inp->inp_errormtu;
break;
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 6da7591..bf877fd 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1289,6 +1289,10 @@ findpcb:
#endif
}
+ /* Check the minimum TTL for socket. */
+ if (ip->ip_ttl < inp->inp_ip_minttl)
+ goto drop;
+
/*
* If the state is CLOSED (i.e., TCB does not exist) then
* all data in the incoming segment is discarded.
--
Min Sik Kim
Home |
Main Index |
Thread Index |
Old Index