Module Name: src
Committed By: minskim
Date: Fri Jul 17 22:02:54 UTC 2009
Modified Files:
src/share/man/man4: ip.4
src/sys/netinet: in.h in_pcb.h ip_output.c tcp_input.c
Log Message:
Add the IP_MINTTL socket option.
The IP_MINTTL option may be used on SOCK_STREAM sockets to discard
packets with a TTL lower than the option value. This can be used to
implement the Generalized TTL Security Mechanism (GTSM) according to
RFC 3682.
OK'ed by chris...@.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/share/man/man4/ip.4
cvs rdiff -u -r1.84 -r1.85 src/sys/netinet/in.h
cvs rdiff -u -r1.46 -r1.47 src/sys/netinet/in_pcb.h
cvs rdiff -u -r1.204 -r1.205 src/sys/netinet/ip_output.c
cvs rdiff -u -r1.296 -r1.297 src/sys/netinet/tcp_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man4/ip.4
diff -u src/share/man/man4/ip.4:1.25 src/share/man/man4/ip.4:1.26
--- src/share/man/man4/ip.4:1.25 Thu Jul 16 07:31:48 2009
+++ src/share/man/man4/ip.4 Fri Jul 17 22:02:54 2009
@@ -1,4 +1,4 @@
-.\" $NetBSD: ip.4,v 1.25 2009/07/16 07:31:48 wiz Exp $
+.\" $NetBSD: ip.4,v 1.26 2009/07/17 22:02:54 minskim Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -186,6 +186,20 @@
cmsg_level = IPPROTO_IP
cmsg_type = IP_RECVTTL
.Ed
+.Pp
+The
+.Dv IP_MINTTL
+option may be used on
+.Dv SOCK_STREAM
+sockets to discard packets with a TTL lower than the option value.
+This can be used to implement the
+.Em Generalized TTL Security Mechanism (GTSM)
+according to RFC 3682.
+To discard all packets with a TTL lower than 255:
+.Bd -literal -offset indent
+int minttl = 255;
+setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
+.Ed
.Ss MULTICAST OPTIONS
.Tn IP
multicasting is supported only on
Index: src/sys/netinet/in.h
diff -u src/sys/netinet/in.h:1.84 src/sys/netinet/in.h:1.85
--- src/sys/netinet/in.h:1.84 Thu Jul 16 04:09:51 2009
+++ src/sys/netinet/in.h Fri Jul 17 22:02:54 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: in.h,v 1.84 2009/07/16 04:09:51 minskim Exp $ */
+/* $NetBSD: in.h,v 1.85 2009/07/17 22:02:54 minskim Exp $ */
/*
* Copyright (c) 1982, 1986, 1990, 1993
@@ -283,6 +283,7 @@
#define IP_IPSEC_POLICY 22 /* struct; get/set security policy */
#endif
#define IP_RECVTTL 23 /* bool; receive IP TTL w/dgram */
+#define IP_MINTTL 24 /* minimum TTL for packet or drop */
/*
* Defaults and limits for options
Index: src/sys/netinet/in_pcb.h
diff -u src/sys/netinet/in_pcb.h:1.46 src/sys/netinet/in_pcb.h:1.47
--- src/sys/netinet/in_pcb.h:1.46 Thu Jul 16 04:09:51 2009
+++ src/sys/netinet/in_pcb.h Fri Jul 17 22:02:54 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: in_pcb.h,v 1.46 2009/07/16 04:09:51 minskim Exp $ */
+/* $NetBSD: in_pcb.h,v 1.47 2009/07/17 22:02:54 minskim Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,6 +91,7 @@
struct mbuf *inp_options; /* IP options */
struct ip_moptions *inp_moptions; /* IP multicast options */
int inp_errormtu; /* MTU of last xmit status = EMSGSIZE */
+ uint8_t inp_ip_minttl;
};
#define inp_faddr inp_ip.ip_dst
Index: src/sys/netinet/ip_output.c
diff -u src/sys/netinet/ip_output.c:1.204 src/sys/netinet/ip_output.c:1.205
--- src/sys/netinet/ip_output.c:1.204 Thu Jul 16 04:09:51 2009
+++ src/sys/netinet/ip_output.c Fri Jul 17 22:02:54 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.204 2009/07/16 04:09:51 minskim Exp $ */
+/* $NetBSD: ip_output.c,v 1.205 2009/07/17 22:02:54 minskim Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.204 2009/07/16 04:09:51 minskim Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.205 2009/07/17 22:02:54 minskim Exp $");
#include "opt_pfil_hooks.h"
#include "opt_inet.h"
@@ -1223,6 +1223,7 @@
case IP_TOS:
case IP_TTL:
+ case IP_MINTTL:
case IP_RECVOPTS:
case IP_RECVRETOPTS:
case IP_RECVDSTADDR:
@@ -1240,6 +1241,13 @@
case IP_TTL:
inp->inp_ip.ip_ttl = optval;
break;
+
+ case IP_MINTTL:
+ if (optval > 0 && optval <= MAXTTL)
+ inp->inp_ip_minttl = optval;
+ else
+ error = EINVAL;
+ break;
#define OPTSET(bit) \
if (optval) \
inp->inp_flags |= bit; \
@@ -1335,6 +1343,7 @@
case IP_TOS:
case IP_TTL:
+ case IP_MINTTL:
case IP_RECVOPTS:
case IP_RECVRETOPTS:
case IP_RECVDSTADDR:
@@ -1350,6 +1359,10 @@
optval = inp->inp_ip.ip_ttl;
break;
+ case IP_MINTTL:
+ optval = inp->inp_ip_minttl;
+ break;
+
case IP_ERRORMTU:
optval = inp->inp_errormtu;
break;
Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.296 src/sys/netinet/tcp_input.c:1.297
--- src/sys/netinet/tcp_input.c:1.296 Sat Jun 20 17:29:31 2009
+++ src/sys/netinet/tcp_input.c Fri Jul 17 22:02:54 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.296 2009/06/20 17:29:31 christos Exp $ */
+/* $NetBSD: tcp_input.c,v 1.297 2009/07/17 22:02:54 minskim Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -145,7 +145,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.296 2009/06/20 17:29:31 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.297 2009/07/17 22:02:54 minskim Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@@ -1289,6 +1289,10 @@
#endif
}
+ /* Check the minimum TTL for socket. */
+ if (ip->ip_ttl < inp->inp_ip_minttl)
+ goto drop;
+
/*
* If the state is CLOSED (i.e., TCB does not exist) then
* all data in the incoming segment is discarded.
