Add support for stealth forwarding (forwarding packets without touching

their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.

This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).

Reviewed by:	eivind, bde

sys/conf/NOTES

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.558 1999/02/21 15:04:43 nsouch Exp $
+#	$Id: LINT,v 1.559 1999/02/21 16:23:23 n_hibma Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -456,6 +456,10 @@ options PPP_FILTER			#enable bpf filtering (needs bpfilter)
 # IPFILTER_LOG enables ipfilter's logging.
 # IPFILTER_LKM enables LKM support for an ipfilter module (untested).
 #
+# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
+# packets without touching the ttl).  This can be useful to hide firewalls
+# from traceroute and similar tools.
+#
 # TCPDEBUG is undocumented.
 #
 options		"TCP_COMPAT_42"		#emulate 4.2BSD TCP bugs
@@ -470,6 +474,7 @@ options		IPDIVERT		#divert sockets
 options		IPFILTER		#kernel ipfilter support
 options		IPFILTER_LOG		#ipfilter logging
 #options	IPFILTER_LKM		#kernel support for ip_fil.o LKM
+options		IPSTEALTH		#support for stealth forwarding
 options		TCPDEBUG
 
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You

sys/conf/options

@@ -1,4 +1,4 @@
-#	$Id: options,v 1.126 1999/02/09 01:02:37 mjacob Exp $
+#	$Id: options,v 1.127 1999/02/14 11:59:58 nsouch Exp $
 #
 #        On the handling of kernel options   
 # 
@@ -201,6 +201,7 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_FORWARD		opt_ipfw.h
+IPSTEALTH
 IPX			opt_ipx.h
 IPXIP			opt_ipx.h
 IPTUNNEL		opt_ipx.h

sys/i386/conf/LINT

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.558 1999/02/21 15:04:43 nsouch Exp $
+#	$Id: LINT,v 1.559 1999/02/21 16:23:23 n_hibma Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -456,6 +456,10 @@ options PPP_FILTER			#enable bpf filtering (needs bpfilter)
 # IPFILTER_LOG enables ipfilter's logging.
 # IPFILTER_LKM enables LKM support for an ipfilter module (untested).
 #
+# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
+# packets without touching the ttl).  This can be useful to hide firewalls
+# from traceroute and similar tools.
+#
 # TCPDEBUG is undocumented.
 #
 options		"TCP_COMPAT_42"		#emulate 4.2BSD TCP bugs
@@ -470,6 +474,7 @@ options		IPDIVERT		#divert sockets
 options		IPFILTER		#kernel ipfilter support
 options		IPFILTER_LOG		#ipfilter logging
 #options	IPFILTER_LKM		#kernel support for ip_fil.o LKM
+options		IPSTEALTH		#support for stealth forwarding
 options		TCPDEBUG
 
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You

sys/i386/conf/NOTES

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.558 1999/02/21 15:04:43 nsouch Exp $
+#	$Id: LINT,v 1.559 1999/02/21 16:23:23 n_hibma Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -456,6 +456,10 @@ options PPP_FILTER			#enable bpf filtering (needs bpfilter)
 # IPFILTER_LOG enables ipfilter's logging.
 # IPFILTER_LKM enables LKM support for an ipfilter module (untested).
 #
+# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
+# packets without touching the ttl).  This can be useful to hide firewalls
+# from traceroute and similar tools.
+#
 # TCPDEBUG is undocumented.
 #
 options		"TCP_COMPAT_42"		#emulate 4.2BSD TCP bugs
@@ -470,6 +474,7 @@ options		IPDIVERT		#divert sockets
 options		IPFILTER		#kernel ipfilter support
 options		IPFILTER_LOG		#ipfilter logging
 #options	IPFILTER_LKM		#kernel support for ip_fil.o LKM
+options		IPSTEALTH		#support for stealth forwarding
 options		TCPDEBUG
 
 # ICMP_BANDLIM enables icmp error response bandwidth limiting.   You

sys/netinet/ip_input.c

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
- *	$Id: ip_input.c,v 1.113 1999/01/27 22:42:25 dillon Exp $
+ *	$Id: ip_input.c,v 1.114 1999/02/09 16:55:46 wollman Exp $
  */
 
 #define	_IP_VHL
@@ -139,6 +139,12 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
 	&ip_mtu, 0, "");
 #endif
 
+#ifdef IPSTEALTH
+static int	ipstealth = 0;
+SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
+    &ipstealth, 0, "");
+#endif
+
 #if !defined(COMPAT_IPFW) || COMPAT_IPFW == 1
 #undef COMPAT_IPFW
 #define COMPAT_IPFW 1
@@ -1404,11 +1410,18 @@ ip_forward(m, srcrt)
 		return;
 	}
 	HTONS(ip->ip_id);
-	if (ip->ip_ttl <= IPTTLDEC) {
-		icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, dest, 0);
-		return;
+#ifdef IPSTEALTH
+	if (!ipstealth) {
+#endif
+		if (ip->ip_ttl <= IPTTLDEC) {
+			icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
+			    dest, 0);
+			return;
+		}
+		ip->ip_ttl -= IPTTLDEC;
+#ifdef IPSTEALTH
 	}
-	ip->ip_ttl -= IPTTLDEC;
+#endif
 
 	sin = (struct sockaddr_in *)&ipforward_rt.ro_dst;
 	if ((rt = ipforward_rt.ro_rt) == 0 ||