diff options
-rw-r--r-- | sys/conf/NOTES | 7 | ||||
-rw-r--r-- | sys/conf/options | 3 | ||||
-rw-r--r-- | sys/i386/conf/LINT | 7 | ||||
-rw-r--r-- | sys/i386/conf/NOTES | 7 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 23 |
5 files changed, 38 insertions, 9 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index e1a40744757d..3175d27d5a70 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -2,7 +2,7 @@ # LINT -- config file for checking all the sources, tries to pull in # as much of the source tree as it can. # -# $Id: LINT,v 1.558 1999/02/21 15:04:43 nsouch Exp $ +# $Id: LINT,v 1.559 1999/02/21 16:23:23 n_hibma Exp $ # # NB: You probably don't want to try running a kernel built from this # file. Instead, you should start from GENERIC, and add options from @@ -456,6 +456,10 @@ options PPP_FILTER #enable bpf filtering (needs bpfilter) # IPFILTER_LOG enables ipfilter's logging. # IPFILTER_LKM enables LKM support for an ipfilter module (untested). # +# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding +# packets without touching the ttl). This can be useful to hide firewalls +# from traceroute and similar tools. +# # TCPDEBUG is undocumented. # options "TCP_COMPAT_42" #emulate 4.2BSD TCP bugs @@ -470,6 +474,7 @@ options IPDIVERT #divert sockets options IPFILTER #kernel ipfilter support options IPFILTER_LOG #ipfilter logging #options IPFILTER_LKM #kernel support for ip_fil.o LKM +options IPSTEALTH #support for stealth forwarding options TCPDEBUG # ICMP_BANDLIM enables icmp error response bandwidth limiting. You diff --git a/sys/conf/options b/sys/conf/options index 6da960cb2c84..6263e9fba28e 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -1,4 +1,4 @@ -# $Id: options,v 1.126 1999/02/09 01:02:37 mjacob Exp $ +# $Id: options,v 1.127 1999/02/14 11:59:58 nsouch Exp $ # # On the handling of kernel options # @@ -201,6 +201,7 @@ IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_FORWARD opt_ipfw.h +IPSTEALTH IPX opt_ipx.h IPXIP opt_ipx.h IPTUNNEL opt_ipx.h diff --git a/sys/i386/conf/LINT b/sys/i386/conf/LINT index e1a40744757d..3175d27d5a70 100644 --- a/sys/i386/conf/LINT +++ b/sys/i386/conf/LINT @@ -2,7 +2,7 @@ # LINT -- config file for checking all the sources, tries to pull in # as much of the source tree as it can. # -# $Id: LINT,v 1.558 1999/02/21 15:04:43 nsouch Exp $ +# $Id: LINT,v 1.559 1999/02/21 16:23:23 n_hibma Exp $ # # NB: You probably don't want to try running a kernel built from this # file. Instead, you should start from GENERIC, and add options from @@ -456,6 +456,10 @@ options PPP_FILTER #enable bpf filtering (needs bpfilter) # IPFILTER_LOG enables ipfilter's logging. # IPFILTER_LKM enables LKM support for an ipfilter module (untested). # +# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding +# packets without touching the ttl). This can be useful to hide firewalls +# from traceroute and similar tools. +# # TCPDEBUG is undocumented. # options "TCP_COMPAT_42" #emulate 4.2BSD TCP bugs @@ -470,6 +474,7 @@ options IPDIVERT #divert sockets options IPFILTER #kernel ipfilter support options IPFILTER_LOG #ipfilter logging #options IPFILTER_LKM #kernel support for ip_fil.o LKM +options IPSTEALTH #support for stealth forwarding options TCPDEBUG # ICMP_BANDLIM enables icmp error response bandwidth limiting. You diff --git a/sys/i386/conf/NOTES b/sys/i386/conf/NOTES index e1a40744757d..3175d27d5a70 100644 --- a/sys/i386/conf/NOTES +++ b/sys/i386/conf/NOTES @@ -2,7 +2,7 @@ # LINT -- config file for checking all the sources, tries to pull in # as much of the source tree as it can. # -# $Id: LINT,v 1.558 1999/02/21 15:04:43 nsouch Exp $ +# $Id: LINT,v 1.559 1999/02/21 16:23:23 n_hibma Exp $ # # NB: You probably don't want to try running a kernel built from this # file. Instead, you should start from GENERIC, and add options from @@ -456,6 +456,10 @@ options PPP_FILTER #enable bpf filtering (needs bpfilter) # IPFILTER_LOG enables ipfilter's logging. # IPFILTER_LKM enables LKM support for an ipfilter module (untested). # +# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding +# packets without touching the ttl). This can be useful to hide firewalls +# from traceroute and similar tools. +# # TCPDEBUG is undocumented. # options "TCP_COMPAT_42" #emulate 4.2BSD TCP bugs @@ -470,6 +474,7 @@ options IPDIVERT #divert sockets options IPFILTER #kernel ipfilter support options IPFILTER_LOG #ipfilter logging #options IPFILTER_LKM #kernel support for ip_fil.o LKM +options IPSTEALTH #support for stealth forwarding options TCPDEBUG # ICMP_BANDLIM enables icmp error response bandwidth limiting. You diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index c1ee58e03b55..be63e54ced99 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.113 1999/01/27 22:42:25 dillon Exp $ + * $Id: ip_input.c,v 1.114 1999/02/09 16:55:46 wollman Exp $ */ #define _IP_VHL @@ -139,6 +139,12 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW, &ip_mtu, 0, ""); #endif +#ifdef IPSTEALTH +static int ipstealth = 0; +SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW, + &ipstealth, 0, ""); +#endif + #if !defined(COMPAT_IPFW) || COMPAT_IPFW == 1 #undef COMPAT_IPFW #define COMPAT_IPFW 1 @@ -1404,11 +1410,18 @@ ip_forward(m, srcrt) return; } HTONS(ip->ip_id); - if (ip->ip_ttl <= IPTTLDEC) { - icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, dest, 0); - return; +#ifdef IPSTEALTH + if (!ipstealth) { +#endif + if (ip->ip_ttl <= IPTTLDEC) { + icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, + dest, 0); + return; + } + ip->ip_ttl -= IPTTLDEC; +#ifdef IPSTEALTH } - ip->ip_ttl -= IPTTLDEC; +#endif sin = (struct sockaddr_in *)&ipforward_rt.ro_dst; if ((rt = ipforward_rt.ro_rt) == 0 || |