From c3897dad80cc844b7f75b8cfa53825c031d02605 Mon Sep 17 00:00:00 2001
From: dan <dan@FreeBSD.org>
Date: Thu, 8 Jun 2000 15:34:51 +0000
Subject: Add tcpoptions to ipfw.  This works much in the same way as ipoptions
 do. It also squashes 99% of packet kiddie synflood orgies.  For example, to
 rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
---
 sys/netinet/ip_fw.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'sys/netinet/ip_fw.h')

diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index 9467624..78fd18d 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -64,6 +64,7 @@ struct ip_fw {
 	unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
 	} fw_uar;
     u_char fw_ipopt,fw_ipnopt;		/* IP options set/unset */
+    u_char fw_tcpopt,fw_tcpnopt;	/* TCP options set/unset */
     u_char fw_tcpf,fw_tcpnf;		/* TCP flags set/unset */
     long timestamp;			/* timestamp (tv_sec) of last match */
     union ip_fw_if fw_in_if, fw_out_if;	/* Incoming and outgoing interfaces */
@@ -230,6 +231,15 @@ struct ipfw_dyn_rule {
 #define IP_FW_IPOPT_TS		0x08
 
 /*
+ * Definitions for TCP option names.
+ */
+#define IP_FW_TCPOPT_MSS	0x01
+#define IP_FW_TCPOPT_WINDOW	0x02
+#define IP_FW_TCPOPT_SACK	0x04
+#define IP_FW_TCPOPT_TS		0x08
+#define IP_FW_TCPOPT_CC		0x10
+
+/*
  * Definitions for TCP flags.
  */
 #define IP_FW_TCPF_FIN		TH_FIN
-- 
cgit v1.1