implement IP_MINTTL socket option fo tcp sockets

This is for RFC3682 aka the TTL security hack - sender sets TTL to 255, receiver checks no router on the way (or, no more than expected) reduced the TTL. carp uses that technique already. modeled after FreeBSD implementation. ok claudio djm deraadt
author: henning <henning@openbsd.org> 2006-10-11 09:34:51 +0000
committer: henning <henning@openbsd.org> 2006-10-11 09:34:51 +0000
commit: cf161772af55cc509d0e38162d7ffd9328fb0693 (patch)
tree: ed445adc6d5ebd863ac3d65f8226feffc179c351 /sys/netinet/tcp_input.c
parent: implement IP_RECVTTL socket option. (diff)
download: wireguard-openbsd-cf161772af55cc509d0e38162d7ffd9328fb0693.tar.xz
wireguard-openbsd-cf161772af55cc509d0e38162d7ffd9328fb0693.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 431ebdf1eed..881d4ae1529 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.196 2006/03/12 18:42:40 markus Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.197 2006/10/11 09:34:51 henning Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -637,6 +637,10 @@ findpcb:
 		}
 	}
 
+	/* Check the minimum TTL for socket. */
+	if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl)
+		goto drop;
+
 	tp = intotcpcb(inp);
 	if (tp == 0)
 		goto dropwithreset_ratelim;
author	henning <henning@openbsd.org>	2006-10-11 09:34:51 +0000
committer	henning <henning@openbsd.org>	2006-10-11 09:34:51 +0000
commit	cf161772af55cc509d0e38162d7ffd9328fb0693 (patch)
tree	ed445adc6d5ebd863ac3d65f8226feffc179c351 /sys/netinet/tcp_input.c
parent	implement IP_RECVTTL socket option. (diff)
download	wireguard-openbsd-cf161772af55cc509d0e38162d7ffd9328fb0693.tar.xz wireguard-openbsd-cf161772af55cc509d0e38162d7ffd9328fb0693.zip