summaryrefslogtreecommitdiffstats
path: root/sbin
diff options
context:
space:
mode:
authormdodd <mdodd@FreeBSD.org>2003-04-01 08:21:44 +0000
committermdodd <mdodd@FreeBSD.org>2003-04-01 08:21:44 +0000
commite72fdee732ab55fc784034c81ccedda4b5279816 (patch)
treef90a5d7ffe2a0b6602c7942defa8707719f90a9c /sbin
parent0bafba46a2e8ee2d4fd220f149d08306f11d0f4d (diff)
downloadFreeBSD-src-e72fdee732ab55fc784034c81ccedda4b5279816.zip
FreeBSD-src-e72fdee732ab55fc784034c81ccedda4b5279816.tar.gz
Implement support for RFC 3514 (The Security Flag in the IPv4 Header).
(See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt) This fulfills the host requirements for userland support by way of the setsockopt() IP_EVIL_INTENT message. There are three sysctl tunables provided to govern system behavior. net.inet.ip.rfc3514: Enables support for rfc3514. As this is an Informational RFC and support is not yet widespread this option is disabled by default. net.inet.ip.hear_no_evil If set the host will discard all received evil packets. net.inet.ip.speak_no_evil If set the host will discard all transmitted evil packets. The IP statistics counter 'ips_evil' (available via 'netstat') provides information on the number of 'evil' packets recieved. For reference, the '-E' option to 'ping' has been provided to demonstrate and test the implementation.
Diffstat (limited to 'sbin')
-rw-r--r--sbin/ping/ping.86
-rw-r--r--sbin/ping/ping.c14
2 files changed, 17 insertions, 3 deletions
diff --git a/sbin/ping/ping.8 b/sbin/ping/ping.8
index 71fa31a..49223e4 100644
--- a/sbin/ping/ping.8
+++ b/sbin/ping/ping.8
@@ -42,7 +42,7 @@
packets to network hosts
.Sh SYNOPSIS
.Nm
-.Op Fl AaDdfnoQqRrv
+.Op Fl AaDdEfnoQqRrv
.Op Fl c Ar count
.Op Fl i Ar wait
.Op Fl l Ar preload
@@ -56,7 +56,7 @@ packets to network hosts
.Op Fl z Ar tos
.Ar host
.Nm
-.Op Fl AaDdfLnoQqRrv
+.Op Fl AaDdEfLnoQqRrv
.Op Fl c Ar count
.Op Fl I Ar iface
.Op Fl i Ar wait
@@ -122,6 +122,8 @@ If this option is not specified,
will operate until interrupted.
.It Fl D
Set the Don't Fragment bit.
+.It Fl E
+Set the EVIL bit.
.It Fl d
Set the
.Dv SO_DEBUG
diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 0d41c92..01a1459 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -143,6 +143,7 @@ int options;
#define F_HDRINCL 0x40000
#define F_MASK 0x80000
#define F_TIME 0x100000
+#define F_SO_EVIL 0x200000
/*
* MAX_DUP_CHK is the number of bits in received table, i.e. the maximum
@@ -256,7 +257,7 @@ main(argc, argv)
outpack = outpackhdr + sizeof(struct ip);
while ((ch = getopt(argc, argv,
- "Aac:DdfI:i:Ll:M:m:nop:QqRrS:s:T:t:vz:"
+ "Aac:DdEfI:i:Ll:M:m:nop:QqRrS:s:T:t:vz:"
#ifdef IPSEC
#ifdef IPSEC_POLICY_IPSEC
"P:"
@@ -286,6 +287,9 @@ main(argc, argv)
case 'd':
options |= F_SO_DEBUG;
break;
+ case 'E':
+ options |= F_SO_EVIL;
+ break;
case 'f':
if (uid) {
errno = EPERM;
@@ -547,6 +551,10 @@ main(argc, argv)
if (options & F_SO_DONTROUTE)
(void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&hold,
sizeof(hold));
+ if (options & F_SO_EVIL)
+ if (setsockopt(s, IPPROTO_IP, IP_EVIL_INTENT, (char *)&hold,
+ sizeof(hold)) != 0)
+ err(EX_OSERR, "setsockopt(s, IPPROTO_IP, IP_EVIL_INTENT, ...)");
#ifdef IPSEC
#ifdef IPSEC_POLICY_IPSEC
if (options & F_POLICY) {
@@ -593,6 +601,8 @@ main(argc, argv)
ip->ip_tos = tos;
ip->ip_id = 0;
ip->ip_off = df ? IP_DF : 0;
+ if (options & F_SO_EVIL)
+ ip->ip_off |= IP_EVIL;
ip->ip_ttl = ttl;
ip->ip_p = IPPROTO_ICMP;
ip->ip_src.s_addr = source ? sock_in.sin_addr.s_addr : INADDR_ANY;
@@ -991,6 +1001,8 @@ pr_pack(buf, cc, from, tv)
(void)printf(" ttl=%d", ip->ip_ttl);
if (timing)
(void)printf(" time=%.3f ms", triptime);
+ if (ip->ip_off & IP_EVIL)
+ (void)printf(" (EVIL)");
if (dupflag)
(void)printf(" (DUP!)");
if (options & F_AUDIBLE)
OpenPOWER on IntegriCloud