diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2007-03-13 12:04:53 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2007-03-13 12:04:53 +0000 |
| commit | a5adf7f49230a5dcc00c9842fb6419ec480c9ad7 (patch) | |
| tree | 6bd642ee9e54887be7be9be75951e24437430f6b /usr.sbin | |
| parent | 8645b1d1654ad6598b00d7ec956a30e89be3584a (diff) | |
allow to specify the IP_TTL and IP_MINTTL options for the relays to
support the Generalized TTL Security Mechanism (GTSM) according to RFC
3682. this is especially useful with inbound connections and a fixed
distance to the backend servers.
ok pyr@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/hoststated/hoststated.conf.5 | 16 | ||||
| -rw-r--r-- | usr.sbin/hoststated/hoststated.h | 6 | ||||
| -rw-r--r-- | usr.sbin/hoststated/parse.y | 19 | ||||
| -rw-r--r-- | usr.sbin/hoststated/relay.c | 45 | ||||
| -rw-r--r-- | usr.sbin/relayd/parse.y | 19 | ||||
| -rw-r--r-- | usr.sbin/relayd/relay.c | 45 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 16 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.h | 6 |
8 files changed, 138 insertions, 34 deletions
diff --git a/usr.sbin/hoststated/hoststated.conf.5 b/usr.sbin/hoststated/hoststated.conf.5 index 4b4ad79c23a..b26624b25f7 100644 --- a/usr.sbin/hoststated/hoststated.conf.5 +++ b/usr.sbin/hoststated/hoststated.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: hoststated.conf.5,v 1.38 2007/03/12 12:21:09 reyk Exp $ +.\" $OpenBSD: hoststated.conf.5,v 1.39 2007/03/13 12:04:52 reyk Exp $ .\" .\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org> .\" @@ -505,9 +505,11 @@ section above. Log the name and the value of the entity. .El .It Ic tcp Ar option -Enable or disable the specified TCP option; see +Enable or disable the specified TCP/IP options; see .Xr tcp 4 -for details about TCP options. +and +.Xr ip 4 +for more information about the options. Valid options are: .Bl -tag -width Ds .It Ic backlog Ar number @@ -516,6 +518,14 @@ The backlog option is 10 by default and is limited by the .Ic kern.somaxconn .Xr sysctl 8 variable. +.It Ic ip minttl Ar number +This option for the underlying IP connection may be used to discard packets +with a TTL lower than the specified value. +This can be used to implement the +.Ar Generalized TTL Security Mechanism (GTSM) +according to RFC 3682. +.It Ic ip ttl +Change the default time-to-live value in the IP headers. .It Xo .Op Ic no .Ic nodelay diff --git a/usr.sbin/hoststated/hoststated.h b/usr.sbin/hoststated/hoststated.h index 1759ebb8a0b..ca4e0e0647e 100644 --- a/usr.sbin/hoststated/hoststated.h +++ b/usr.sbin/hoststated/hoststated.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hoststated.h,v 1.36 2007/03/05 11:44:50 reyk Exp $ */ +/* $OpenBSD: hoststated.h,v 1.37 2007/03/13 12:04:52 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@spootnik.org> @@ -406,6 +406,8 @@ enum prototype { #define TCPFLAG_SACK 0x04 #define TCPFLAG_NSACK 0x08 #define TCPFLAG_BUFSIZ 0x10 +#define TCPFLAG_IPTTL 0x20 +#define TCPFLAG_IPMINTTL 0x40 #define TCPFLAG_DEFAULT 0x00 #define SSLFLAG_SSLV2 0x01 @@ -422,6 +424,8 @@ struct protocol { u_int8_t tcpflags; int tcpbufsiz; int tcpbacklog; + u_int8_t tcpipttl; + u_int8_t tcpipminttl; u_int8_t sslflags; char *sslciphers; char name[MAX_NAME_SIZE]; diff --git a/usr.sbin/hoststated/parse.y b/usr.sbin/hoststated/parse.y index 996994ce8a6..0815ea82f0e 100644 --- a/usr.sbin/hoststated/parse.y +++ b/usr.sbin/hoststated/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.35 2007/03/07 17:40:32 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.36 2007/03/13 12:04:52 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org> @@ -110,7 +110,7 @@ typedef struct { %token SEND EXPECT NOTHING SSL LOADBALANCE ROUNDROBIN CIPHERS COOKIE %token RELAY LISTEN ON FORWARD TO NAT LOOKUP PREFORK NO MARK MARKED %token PROTO SESSION CACHE APPEND CHANGE REMOVE FROM FILTER HASH HEADER -%token LOG UPDATES ALL DEMOTE NODELAY SACK SOCKET BUFFER URL RETRY +%token LOG UPDATES ALL DEMOTE NODELAY SACK SOCKET BUFFER URL RETRY IP %token ERROR %token <v.string> STRING %type <v.string> interface @@ -675,6 +675,20 @@ tcpflags : SACK { proto->tcpflags |= TCPFLAG_SACK; } proto->tcpflags |= TCPFLAG_BUFSIZ; proto->tcpbufsiz = $3; } + | IP STRING number { + if (strcasecmp("ttl", $2) == 0) { + proto->tcpflags |= TCPFLAG_IPTTL; + proto->tcpipttl = $3; + } else if (strcasecmp("minttl", $2) == 0) { + proto->tcpflags |= TCPFLAG_IPMINTTL; + proto->tcpipminttl = $3; + } else { + yyerror("invalid TCP/IP flag: %s", $2); + free($2); + YYERROR; + } + free($2); + } ; sslflags_l : sslflags comma sslflags_l @@ -1085,6 +1099,7 @@ lookup(char *s) { "icmp", ICMP }, { "interface", INTERFACE }, { "interval", INTERVAL }, + { "ip", IP }, { "listen", LISTEN }, { "loadbalance", LOADBALANCE }, { "log", LOG }, diff --git a/usr.sbin/hoststated/relay.c b/usr.sbin/hoststated/relay.c index 1ccc1680eae..f19078a69a6 100644 --- a/usr.sbin/hoststated/relay.c +++ b/usr.sbin/hoststated/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.18 2007/03/07 17:40:32 reyk Exp $ */ +/* $OpenBSD: relay.c,v 1.19 2007/03/13 12:04:52 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -517,6 +517,10 @@ relay_socket(struct sockaddr_storage *ss, in_port_t port, if ((s = socket(ss->ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) goto bad; + + /* + * Socket options + */ bzero(&lng, sizeof(lng)); if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) goto bad; @@ -525,7 +529,36 @@ relay_socket(struct sockaddr_storage *ss, in_port_t port, goto bad; if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) goto bad; + if (proto->tcpflags & TCPFLAG_BUFSIZ) { + val = proto->tcpbufsiz; + if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, + &val, sizeof(val)) == -1) + goto bad; + val = proto->tcpbufsiz; + if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, + &val, sizeof(val)) == -1) + goto bad; + } + + /* + * IP options + */ + if (proto->tcpflags & TCPFLAG_IPTTL) { + val = (int)proto->tcpipttl; + if (setsockopt(s, IPPROTO_IP, IP_TTL, + &val, sizeof(val)) == -1) + goto bad; + } + if (proto->tcpflags & TCPFLAG_IPMINTTL) { + val = (int)proto->tcpipminttl; + if (setsockopt(s, IPPROTO_IP, IP_MINTTL, + &val, sizeof(val)) == -1) + goto bad; + } + /* + * TCP options + */ if (proto->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) { if (proto->tcpflags & TCPFLAG_NNODELAY) val = 0; @@ -544,16 +577,6 @@ relay_socket(struct sockaddr_storage *ss, in_port_t port, &val, sizeof(val)) == -1) goto bad; } - if (proto->tcpflags & TCPFLAG_BUFSIZ) { - val = proto->tcpbufsiz; - if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, - &val, sizeof(val)) == -1) - goto bad; - val = proto->tcpbufsiz; - if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, - &val, sizeof(val)) == -1) - goto bad; - } return (s); diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index 996994ce8a6..0815ea82f0e 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.35 2007/03/07 17:40:32 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.36 2007/03/13 12:04:52 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org> @@ -110,7 +110,7 @@ typedef struct { %token SEND EXPECT NOTHING SSL LOADBALANCE ROUNDROBIN CIPHERS COOKIE %token RELAY LISTEN ON FORWARD TO NAT LOOKUP PREFORK NO MARK MARKED %token PROTO SESSION CACHE APPEND CHANGE REMOVE FROM FILTER HASH HEADER -%token LOG UPDATES ALL DEMOTE NODELAY SACK SOCKET BUFFER URL RETRY +%token LOG UPDATES ALL DEMOTE NODELAY SACK SOCKET BUFFER URL RETRY IP %token ERROR %token <v.string> STRING %type <v.string> interface @@ -675,6 +675,20 @@ tcpflags : SACK { proto->tcpflags |= TCPFLAG_SACK; } proto->tcpflags |= TCPFLAG_BUFSIZ; proto->tcpbufsiz = $3; } + | IP STRING number { + if (strcasecmp("ttl", $2) == 0) { + proto->tcpflags |= TCPFLAG_IPTTL; + proto->tcpipttl = $3; + } else if (strcasecmp("minttl", $2) == 0) { + proto->tcpflags |= TCPFLAG_IPMINTTL; + proto->tcpipminttl = $3; + } else { + yyerror("invalid TCP/IP flag: %s", $2); + free($2); + YYERROR; + } + free($2); + } ; sslflags_l : sslflags comma sslflags_l @@ -1085,6 +1099,7 @@ lookup(char *s) { "icmp", ICMP }, { "interface", INTERFACE }, { "interval", INTERVAL }, + { "ip", IP }, { "listen", LISTEN }, { "loadbalance", LOADBALANCE }, { "log", LOG }, diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 1ccc1680eae..f19078a69a6 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.18 2007/03/07 17:40:32 reyk Exp $ */ +/* $OpenBSD: relay.c,v 1.19 2007/03/13 12:04:52 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -517,6 +517,10 @@ relay_socket(struct sockaddr_storage *ss, in_port_t port, if ((s = socket(ss->ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) goto bad; + + /* + * Socket options + */ bzero(&lng, sizeof(lng)); if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) goto bad; @@ -525,7 +529,36 @@ relay_socket(struct sockaddr_storage *ss, in_port_t port, goto bad; if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) goto bad; + if (proto->tcpflags & TCPFLAG_BUFSIZ) { + val = proto->tcpbufsiz; + if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, + &val, sizeof(val)) == -1) + goto bad; + val = proto->tcpbufsiz; + if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, + &val, sizeof(val)) == -1) + goto bad; + } + + /* + * IP options + */ + if (proto->tcpflags & TCPFLAG_IPTTL) { + val = (int)proto->tcpipttl; + if (setsockopt(s, IPPROTO_IP, IP_TTL, + &val, sizeof(val)) == -1) + goto bad; + } + if (proto->tcpflags & TCPFLAG_IPMINTTL) { + val = (int)proto->tcpipminttl; + if (setsockopt(s, IPPROTO_IP, IP_MINTTL, + &val, sizeof(val)) == -1) + goto bad; + } + /* + * TCP options + */ if (proto->tcpflags & (TCPFLAG_NODELAY|TCPFLAG_NNODELAY)) { if (proto->tcpflags & TCPFLAG_NNODELAY) val = 0; @@ -544,16 +577,6 @@ relay_socket(struct sockaddr_storage *ss, in_port_t port, &val, sizeof(val)) == -1) goto bad; } - if (proto->tcpflags & TCPFLAG_BUFSIZ) { - val = proto->tcpbufsiz; - if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, - &val, sizeof(val)) == -1) - goto bad; - val = proto->tcpbufsiz; - if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, - &val, sizeof(val)) == -1) - goto bad; - } return (s); diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 9d9001282d8..b28fcac2f22 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.38 2007/03/12 12:21:09 reyk Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.39 2007/03/13 12:04:52 reyk Exp $ .\" .\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org> .\" @@ -505,9 +505,11 @@ section above. Log the name and the value of the entity. .El .It Ic tcp Ar option -Enable or disable the specified TCP option; see +Enable or disable the specified TCP/IP options; see .Xr tcp 4 -for details about TCP options. +and +.Xr ip 4 +for more information about the options. Valid options are: .Bl -tag -width Ds .It Ic backlog Ar number @@ -516,6 +518,14 @@ The backlog option is 10 by default and is limited by the .Ic kern.somaxconn .Xr sysctl 8 variable. +.It Ic ip minttl Ar number +This option for the underlying IP connection may be used to discard packets +with a TTL lower than the specified value. +This can be used to implement the +.Ar Generalized TTL Security Mechanism (GTSM) +according to RFC 3682. +.It Ic ip ttl +Change the default time-to-live value in the IP headers. .It Xo .Op Ic no .Ic nodelay diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index 69c9ce08e1d..486afd42d5c 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.36 2007/03/05 11:44:50 reyk Exp $ */ +/* $OpenBSD: relayd.h,v 1.37 2007/03/13 12:04:52 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@spootnik.org> @@ -406,6 +406,8 @@ enum prototype { #define TCPFLAG_SACK 0x04 #define TCPFLAG_NSACK 0x08 #define TCPFLAG_BUFSIZ 0x10 +#define TCPFLAG_IPTTL 0x20 +#define TCPFLAG_IPMINTTL 0x40 #define TCPFLAG_DEFAULT 0x00 #define SSLFLAG_SSLV2 0x01 @@ -422,6 +424,8 @@ struct protocol { u_int8_t tcpflags; int tcpbufsiz; int tcpbacklog; + u_int8_t tcpipttl; + u_int8_t tcpipminttl; u_int8_t sslflags; char *sslciphers; char name[MAX_NAME_SIZE]; |