diff options
| author | ae <ae@FreeBSD.org> | 2017-04-17 09:42:05 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2017-04-17 09:42:05 +0000 |
| commit | fed97f3094ee0c71bc2ae864dce888257108122c (patch) | |
| tree | 183af123a8e5234f5555cf59f3154a14ffa856ae /sys/conf | |
| parent | 93c66f329a5c7a8161ceef873184cc5c7b69431c (diff) | |
| download | FreeBSD-src-fed97f3094ee0c71bc2ae864dce888257108122c.zip FreeBSD-src-fed97f3094ee0c71bc2ae864dce888257108122c.tar.gz | |
MFC r316435:
Add ipfw_pmod kernel module.
The module is designed for modification of a packets of any protocols.
For now it implements only TCP MSS modification. It adds the external
action handler for "tcp-setmss" action.
A rule with tcp-setmss action does additional check for protocol and
TCP flags. If SYN flag is present, it parses TCP options and modifies
MSS option if its value is greater than configured value in the rule.
Then it adjustes TCP checksum if needed. After handling the search
continues with the next rule.
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D10150
Diffstat (limited to 'sys/conf')
| -rw-r--r-- | sys/conf/NOTES | 3 | ||||
| -rw-r--r-- | sys/conf/files | 2 | ||||
| -rw-r--r-- | sys/conf/options | 1 |
3 files changed, 6 insertions, 0 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 46dfa9d..4b396b4 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -957,6 +957,9 @@ device lagg # # IPFIREWALL_NPTV6 adds support for in kernel NPTv6 in ipfw. # +# IPFIREWALL_PMOD adds support for protocols modification module. Currently +# it supports only TCP MSS modification. +# # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. diff --git a/sys/conf/files b/sys/conf/files index a98da70..d5dfe37 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -4006,6 +4006,8 @@ netpfil/ipfw/nptv6/ip_fw_nptv6.c optional inet inet6 ipfirewall \ ipfirewall_nptv6 netpfil/ipfw/nptv6/nptv6.c optional inet inet6 ipfirewall \ ipfirewall_nptv6 +netpfil/ipfw/pmod/ip_fw_pmod.c optional inet ipfirewall_pmod +netpfil/ipfw/pmod/tcpmod.c optional inet ipfirewall_pmod netpfil/pf/if_pflog.c optional pflog pf inet netpfil/pf/if_pfsync.c optional pfsync pf inet netpfil/pf/pf.c optional pf inet diff --git a/sys/conf/options b/sys/conf/options index 04697a6..f52b390 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -424,6 +424,7 @@ IPFIREWALL_NAT64_DIRECT_OUTPUT opt_ipfw.h IPFIREWALL_NPTV6 opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h +IPFIREWALL_PMOD opt_ipfw.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h IPSEC_SUPPORT opt_ipsec.h |
