diff options
author | des <des@FreeBSD.org> | 1999-02-22 18:19:57 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 1999-02-22 18:19:57 +0000 |
commit | 2f3574b0d4cb7a8667a429bba306179dc71ce610 (patch) | |
tree | bde08a569ee0edca7aa65ffd0b9a03adca780034 /sys/netinet | |
parent | d51135c0c3ce43b173e455e0e5a42cf324e3e282 (diff) | |
download | FreeBSD-src-2f3574b0d4cb7a8667a429bba306179dc71ce610.zip FreeBSD-src-2f3574b0d4cb7a8667a429bba306179dc71ce610.tar.gz |
Add support for stealth forwarding (forwarding packets without touching
their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.
This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).
Reviewed by: eivind, bde
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_input.c | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index c1ee58e..be63e54 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.113 1999/01/27 22:42:25 dillon Exp $ + * $Id: ip_input.c,v 1.114 1999/02/09 16:55:46 wollman Exp $ */ #define _IP_VHL @@ -139,6 +139,12 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW, &ip_mtu, 0, ""); #endif +#ifdef IPSTEALTH +static int ipstealth = 0; +SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW, + &ipstealth, 0, ""); +#endif + #if !defined(COMPAT_IPFW) || COMPAT_IPFW == 1 #undef COMPAT_IPFW #define COMPAT_IPFW 1 @@ -1404,11 +1410,18 @@ ip_forward(m, srcrt) return; } HTONS(ip->ip_id); - if (ip->ip_ttl <= IPTTLDEC) { - icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, dest, 0); - return; +#ifdef IPSTEALTH + if (!ipstealth) { +#endif + if (ip->ip_ttl <= IPTTLDEC) { + icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, + dest, 0); + return; + } + ip->ip_ttl -= IPTTLDEC; +#ifdef IPSTEALTH } - ip->ip_ttl -= IPTTLDEC; +#endif sin = (struct sockaddr_in *)&ipforward_rt.ro_dst; if ((rt = ipforward_rt.ro_rt) == 0 || |