From e72fdee732ab55fc784034c81ccedda4b5279816 Mon Sep 17 00:00:00 2001
From: mdodd <mdodd@FreeBSD.org>
Date: Tue, 1 Apr 2003 08:21:44 +0000
Subject: Implement support for RFC 3514 (The Security Flag in the IPv4
 Header). (See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)

This fulfills the host requirements for userland support by
way of the setsockopt() IP_EVIL_INTENT message.

There are three sysctl tunables provided to govern system behavior.

	net.inet.ip.rfc3514:

		Enables support for rfc3514.  As this is an
		Informational RFC and support is not yet widespread
		this option is disabled by default.

	net.inet.ip.hear_no_evil

		 If set the host will discard all received evil packets.

	net.inet.ip.speak_no_evil

		If set the host will discard all transmitted evil packets.

The IP statistics counter 'ips_evil' (available via 'netstat') provides
information on the number of 'evil' packets recieved.

For reference, the '-E' option to 'ping' has been provided to demonstrate
and test the implementation.
---
 sbin/ping/ping.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'sbin/ping/ping.c')

diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 0d41c92..01a1459 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -143,6 +143,7 @@ int options;
 #define	F_HDRINCL	0x40000
 #define	F_MASK		0x80000
 #define	F_TIME		0x100000
+#define	F_SO_EVIL	0x200000
 
 /*
  * MAX_DUP_CHK is the number of bits in received table, i.e. the maximum
@@ -256,7 +257,7 @@ main(argc, argv)
 
 	outpack = outpackhdr + sizeof(struct ip);
 	while ((ch = getopt(argc, argv,
-		"Aac:DdfI:i:Ll:M:m:nop:QqRrS:s:T:t:vz:"
+		"Aac:DdEfI:i:Ll:M:m:nop:QqRrS:s:T:t:vz:"
 #ifdef IPSEC
 #ifdef IPSEC_POLICY_IPSEC
 		"P:"
@@ -286,6 +287,9 @@ main(argc, argv)
 		case 'd':
 			options |= F_SO_DEBUG;
 			break;
+		case 'E':
+			options |= F_SO_EVIL;
+			break;
 		case 'f':
 			if (uid) {
 				errno = EPERM;
@@ -547,6 +551,10 @@ main(argc, argv)
 	if (options & F_SO_DONTROUTE)
 		(void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&hold,
 		    sizeof(hold));
+	if (options & F_SO_EVIL)
+		if (setsockopt(s, IPPROTO_IP, IP_EVIL_INTENT, (char *)&hold,
+		    sizeof(hold)) != 0)
+		err(EX_OSERR, "setsockopt(s, IPPROTO_IP, IP_EVIL_INTENT, ...)");
 #ifdef IPSEC
 #ifdef IPSEC_POLICY_IPSEC
 	if (options & F_POLICY) {
@@ -593,6 +601,8 @@ main(argc, argv)
 		ip->ip_tos = tos;
 		ip->ip_id = 0;
 		ip->ip_off = df ? IP_DF : 0;
+		if (options & F_SO_EVIL)
+			ip->ip_off |= IP_EVIL;
 		ip->ip_ttl = ttl;
 		ip->ip_p = IPPROTO_ICMP;
 		ip->ip_src.s_addr = source ? sock_in.sin_addr.s_addr : INADDR_ANY;
@@ -991,6 +1001,8 @@ pr_pack(buf, cc, from, tv)
 			(void)printf(" ttl=%d", ip->ip_ttl);
 			if (timing)
 				(void)printf(" time=%.3f ms", triptime);
+			if (ip->ip_off & IP_EVIL)
+				(void)printf(" (EVIL)");
 			if (dupflag)
 				(void)printf(" (DUP!)");
 			if (options & F_AUDIBLE)
-- 
cgit v1.1