diff options
| author | dan <dan@FreeBSD.org> | 2000-06-08 15:34:51 +0000 |
|---|---|---|
| committer | dan <dan@FreeBSD.org> | 2000-06-08 15:34:51 +0000 |
| commit | c3897dad80cc844b7f75b8cfa53825c031d02605 (patch) | |
| tree | a156e91e6ecec2e7ac6b722fecb49d451eb5515b /sys/netinet/ip_fw.h | |
| parent | 31f827d91f8e4147518f8d6192a98d5196ef935a (diff) | |
| download | FreeBSD-src-c3897dad80cc844b7f75b8cfa53825c031d02605.zip FreeBSD-src-c3897dad80cc844b7f75b8cfa53825c031d02605.tar.gz | |
Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies. For example, to
rate syn packets without MSS,
ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss
Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
Diffstat (limited to 'sys/netinet/ip_fw.h')
| -rw-r--r-- | sys/netinet/ip_fw.h | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 9467624..78fd18d 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -64,6 +64,7 @@ struct ip_fw { unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ } fw_uar; u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ + u_char fw_tcpopt,fw_tcpnopt; /* TCP options set/unset */ u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ long timestamp; /* timestamp (tv_sec) of last match */ union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */ @@ -230,6 +231,15 @@ struct ipfw_dyn_rule { #define IP_FW_IPOPT_TS 0x08 /* + * Definitions for TCP option names. + */ +#define IP_FW_TCPOPT_MSS 0x01 +#define IP_FW_TCPOPT_WINDOW 0x02 +#define IP_FW_TCPOPT_SACK 0x04 +#define IP_FW_TCPOPT_TS 0x08 +#define IP_FW_TCPOPT_CC 0x10 + +/* * Definitions for TCP flags. */ #define IP_FW_TCPF_FIN TH_FIN |
