MFC: IP_MINTTL socket option.

Approved by:	re (scottl)

share/man/man4/ip.4

@@ -32,7 +32,7 @@
 .\"     @(#)ip.4	8.2 (Berkeley) 11/30/93
 .\" $FreeBSD$
 .\"
-.Dd March 23, 2005
+.Dd August 22, 2005
 .Dt IP 4
 .Os
 .Sh NAME
@@ -113,6 +113,14 @@ int ttl = 60;                   /* max = 255 */
 setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
 .Ed
 .Pp
+.Dv IP_MINTTL
+may be used to set the minimum acceptable TTL a packet must have when
+received on a socket.
+All packets with a lower TTL are silently dropped.
+This option is only really useful when set to 255 preventing packets
+from outside the directly connected networks reaching local listeners
+on sockets.
+.Pp
 If the
 .Dv IP_RECVDSTADDR
 option is enabled on a

sys/netinet/in.h

@@ -415,6 +415,7 @@ __END_DECLS
 #define	IP_DUMMYNET_GET		64   /* get entire dummynet pipes */
 
 #define	IP_RECVTTL		65   /* bool; receive IP TTL w/dgram */
+#define	IP_MINTTL		66   /* minimum TTL for packet or drop */
 
 /*
  * Defaults and limits for options

sys/netinet/in_pcb.h

@@ -133,6 +133,7 @@ struct inpcb {
 #define	INP_ONESBCAST	0x10		/* send all-ones broadcast */
 	u_char	inp_ip_ttl;		/* time to live proto */
 	u_char	inp_ip_p;		/* protocol proto */
+	u_char	inp_ip_minttl;		/* minimum TTL or drop */
 
 	/* protocol dependent part; options */
 	struct {

sys/netinet/ip_output.c

@@ -1189,6 +1189,7 @@ ip_ctloutput(so, sopt)
 
 		case IP_TOS:
 		case IP_TTL:
+		case IP_MINTTL:
 		case IP_RECVOPTS:
 		case IP_RECVRETOPTS:
 		case IP_RECVDSTADDR:
@@ -1209,6 +1210,14 @@ ip_ctloutput(so, sopt)
 			case IP_TTL:
 				inp->inp_ip_ttl = optval;
 				break;
+
+			case IP_MINTTL:
+				if (optval > 0 && optval <= MAXTTL)
+					inp->inp_ip_minttl = optval;
+				else
+					error = EINVAL;
+				break;
+
 #define	OPTSET(bit) do {						\
 	INP_LOCK(inp);							\
 	if (optval)							\
@@ -1333,6 +1342,7 @@ ip_ctloutput(so, sopt)
 
 		case IP_TOS:
 		case IP_TTL:
+		case IP_MINTTL:
 		case IP_RECVOPTS:
 		case IP_RECVRETOPTS:
 		case IP_RECVDSTADDR:
@@ -1351,6 +1361,10 @@ ip_ctloutput(so, sopt)
 				optval = inp->inp_ip_ttl;
 				break;
 
+			case IP_MINTTL:
+				optval = inp->inp_ip_minttl;
+				break;
+
 #define	OPTBIT(bit)	(inp->inp_flags & bit ? 1 : 0)
 
 			case IP_RECVOPTS:

sys/netinet/raw_ip.c

@@ -157,6 +157,9 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
 	if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
 		policyfail = 1;
 #endif
+	/* Check the minimum TTL for socket. */
+	if (last->inp_ip_minttl && last->inp_ip_minttl > ip->ip_ttl)
+		policyfail = 1;
 	if (!policyfail) {
 		struct mbuf *opts = NULL;
 		struct socket *so;

sys/netinet/tcp_input.c

@@ -740,6 +740,11 @@ findpcb:
 		goto dropwithreset;
 	}
 	INP_LOCK(inp);
+
+	/* Check the minimum TTL for socket. */
+	if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl)
+		goto drop;
+
 	if (inp->inp_vflag & INP_TIMEWAIT) {
 		/*
 		 * The only option of relevance is TOF_CC, and only if

sys/netinet/udp_usrreq.c

@@ -384,6 +384,9 @@ udp_input(m, off)
 		return;
 	}
 	INP_LOCK(inp);
+	/* Check the minimum TTL for socket. */
+	if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl)
+		goto badheadlocked;
 	udp_append(inp, ip, m, iphlen + sizeof(struct udphdr), &udp_in);
 	INP_UNLOCK(inp);
 	INP_INFO_RUNLOCK(&udbinfo);