implement IP_MINTTL socket option fo tcp sockets

This is for RFC3682 aka the TTL security hack - sender sets TTL to 255,
receiver checks no router on the way (or, no more than expected) reduced
the TTL. carp uses that technique already.
modeled after FreeBSD implementation.
ok claudio djm deraadt

4 files changed, 22 insertions, 4 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 22923c5352c..bbbd2f42888 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in.h,v 1.72 2006/10/11 09:29:20 henning Exp $	*/
+/*	$OpenBSD: in.h,v 1.73 2006/10/11 09:34:51 henning Exp $	*/
 /*	$NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $	*/
 
 /*
@@ -266,6 +266,7 @@ struct ip_opts {
 #define IP_IPCOMP_LEVEL		29   /* int; compression used */
 #define IP_RECVIF		30   /* bool; receive reception if w/dgram */
 #define IP_RECVTTL		31   /* bool; receive IP TTL w/dgram */
+#define IP_MINTTL		32   /* minimum TTL for packet or drop */
 
 /*
  * Security levels - IPsec, not IPSO
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 28614c186c7..ef747a35d47 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.h,v 1.56 2006/10/11 09:29:20 henning Exp $	*/
+/*	$OpenBSD: in_pcb.h,v 1.57 2006/10/11 09:34:51 henning Exp $	*/
 /*	$NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $	*/
 
 /*
@@ -132,6 +132,7 @@ struct inpcb {
 #define SR_FAILED         1             /* Negotiation failed permanently */
 #define SR_SUCCESS        2             /* SA successfully established */
 #define SR_WAIT           3             /* Waiting for SA */
+	u_char	inp_ip_minttl;		/* minimum TTL or drop */
 	TAILQ_ENTRY(inpcb) inp_tdb_in_next, inp_tdb_out_next;
 	struct tdb     *inp_tdb_in, *inp_tdb_out;
 	struct ipsec_policy *inp_ipo;
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 3a42e2f72b0..adbb3ecd32f 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.181 2006/10/11 09:29:20 henning Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.182 2006/10/11 09:34:51 henning Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -1044,6 +1044,7 @@ ip_ctloutput(op, so, level, optname, mp)
 
 		case IP_TOS:
 		case IP_TTL:
+		case IP_MINTTL:
 		case IP_RECVOPTS:
 		case IP_RECVRETOPTS:
 		case IP_RECVDSTADDR:
@@ -1063,6 +1064,12 @@ ip_ctloutput(op, so, level, optname, mp)
 					inp->inp_ip.ip_ttl = optval;
 					break;
 
+				case IP_MINTTL:
+					if (optval > 0 && optval <= MAXTTL)
+						inp->inp_ip_minttl = optval;
+					else
+						error = EINVAL;
+					break;
 #define	OPTSET(bit) \
 	if (optval) \
 		inp->inp_flags |= bit; \
@@ -1384,6 +1391,7 @@ ip_ctloutput(op, so, level, optname, mp)
 
 		case IP_TOS:
 		case IP_TTL:
+		case IP_MINTTL:
 		case IP_RECVOPTS:
 		case IP_RECVRETOPTS:
 		case IP_RECVDSTADDR:
@@ -1401,6 +1409,10 @@ ip_ctloutput(op, so, level, optname, mp)
 				optval = inp->inp_ip.ip_ttl;
 				break;
 
+			case IP_MINTTL:
+				optval = inp->inp_ip_minttl;
+				break;
+
 #define	OPTBIT(bit)	(inp->inp_flags & bit ? 1 : 0)
 
 			case IP_RECVOPTS:
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 431ebdf1eed..881d4ae1529 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.196 2006/03/12 18:42:40 markus Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.197 2006/10/11 09:34:51 henning Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -637,6 +637,10 @@ findpcb:
 		}
 	}
 
+	/* Check the minimum TTL for socket. */
+	if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl)
+		goto drop;
+
 	tp = intotcpcb(inp);
 	if (tp == 0)
 		goto dropwithreset_ratelim;