vstakhov · December 21, 2015 17:29
diff --git a/ipfw2.diff b/ipfw2.diff
 Index: sbin/ipfw/ipfw2.c
 ===================================================================
 --- sbin/ipfw/ipfw2.c   (revision 254904)
 +++ sbin/ipfw/ipfw2.c   (working copy)
 @@ -264,6 +264,7 @@
        { "reass",              TOK_REASS },
        { "setfib",             TOK_SETFIB },
        { "setdscp",            TOK_SETDSCP },
 +       { "setttl",             TOK_SETTTL },
        { "call",               TOK_CALL },
        { "return",             TOK_RETURN },
        { NULL, 0 }     /* terminator */
 @@ -1313,6 +1314,10 @@
                                PRINT_UINT_ARG("setdscp ", cmd->arg1);
                    }
                        break;
 +
 +               case O_SETTTL:
 +                       PRINT_UINT_ARG("settl ", cmd->arg1);
 +                        break;
 
                case O_REASS:
                        printf("reass");
 @@ -3176,6 +3181,19 @@
                av++;
                break;
            }
 +
 +       case TOK_SETTTL:
 +               action->opcode = O_SETTTL;
 +               NEED1("missing ttl value");
 +               if (_substrcmp(*av, "tablearg") == 0) {
 +                        action->arg1 = IP_FW_TABLEARG;
 +                } else {
 +                        action->arg1 = strtoul(*av, NULL, 10);
 +                       if (action->arg1 > 255)
 +                               errx(EX_DATAERR, "the maximum value for TTL is 255.\n");
 +               }
 +               av++;
 +               break;
 
        case TOK_REASS:
                action->opcode = O_REASS;
 Index: sbin/ipfw/ipfw2.h
 ===================================================================
 --- sbin/ipfw/ipfw2.h   (revision 254904)
 +++ sbin/ipfw/ipfw2.h   (working copy)
 @@ -204,6 +204,7 @@
        TOK_LOOKUP,
        TOK_SOCKARG,
        TOK_SETDSCP,
 +       TOK_SETTTL
 };
 /*
  * the following macro returns an error message if we run out of
 Index: sys/netinet/ip_fw.h
 ===================================================================
 --- sys/netinet/ip_fw.h (revision 254904)
 +++ sys/netinet/ip_fw.h (working copy)
 @@ -221,6 +221,8 @@
        O_DSCP,                 /* 2 u32 = DSCP mask */
        O_SETDSCP,              /* arg1=DSCP value */
 
 +       O_SETTTL,               /* set ttl of the packet to arg1 */
 +
        O_LAST_OPCODE           /* not an opcode!               */
 };
 
 Index: sys/netpfil/ipfw/ip_fw2.c
 ===================================================================
 --- sys/netpfil/ipfw/ip_fw2.c   (revision 254904)
 +++ sys/netpfil/ipfw/ip_fw2.c   (working copy)
 @@ -2401,7 +2401,24 @@
                                IPFW_INC_RULE_COUNTER(f, pktlen);
                                break;
                        }
 +
 +                       case O_SETTTL: {
 +                               uint32_t ttl;
 
 +                               ttl = IP_FW_ARG_TABLEARG(cmd->arg1);
 +                               if (ttl > 255)
 +                                       ttl = 255;
 +                               if (is_ipv4)
 +                                       ip->ip_ttl = ttl;
 +                               else if (is_ipv6)
 +                                       ((struct ip6_hdr *)ip)->ip6_hlim = ttl;
 +                               else
 +                                       break;
 +
 +                               IPFW_INC_RULE_COUNTER(f, pktlen);
 +                               break;
 +                       }
 +
                        case O_NAT:
                                if (!IPFW_NAT_LOADED) {
                                    retval = IP_FW_DENY;
	Index: sbin/ipfw/ipfw2.c
	===================================================================
	--- sbin/ipfw/ipfw2.c (revision 254904)
	+++ sbin/ipfw/ipfw2.c (working copy)
	@@ -264,6 +264,7 @@
	{ "reass", TOK_REASS },
	{ "setfib", TOK_SETFIB },
	{ "setdscp", TOK_SETDSCP },
	+ { "setttl", TOK_SETTTL },
	{ "call", TOK_CALL },
	{ "return", TOK_RETURN },
	{ NULL, 0 } /* terminator */
	@@ -1313,6 +1314,10 @@
	PRINT_UINT_ARG("setdscp ", cmd->arg1);
	}
	break;
	+
	+ case O_SETTTL:
	+ PRINT_UINT_ARG("settl ", cmd->arg1);
	+ break;

	case O_REASS:
	printf("reass");
	@@ -3176,6 +3181,19 @@
	av++;
	break;
	}
	+
	+ case TOK_SETTTL:
	+ action->opcode = O_SETTTL;
	+ NEED1("missing ttl value");
	+ if (_substrcmp(*av, "tablearg") == 0) {
	+ action->arg1 = IP_FW_TABLEARG;
	+ } else {
	+ action->arg1 = strtoul(*av, NULL, 10);
	+ if (action->arg1 > 255)
	+ errx(EX_DATAERR, "the maximum value for TTL is 255.\n");
	+ }
	+ av++;
	+ break;

	case TOK_REASS:
	action->opcode = O_REASS;
	Index: sbin/ipfw/ipfw2.h
	===================================================================
	--- sbin/ipfw/ipfw2.h (revision 254904)
	+++ sbin/ipfw/ipfw2.h (working copy)
	@@ -204,6 +204,7 @@
	TOK_LOOKUP,
	TOK_SOCKARG,
	TOK_SETDSCP,
	+ TOK_SETTTL
	};
	/*
	* the following macro returns an error message if we run out of
	Index: sys/netinet/ip_fw.h
	===================================================================
	--- sys/netinet/ip_fw.h (revision 254904)
	+++ sys/netinet/ip_fw.h (working copy)
	@@ -221,6 +221,8 @@
	O_DSCP, /* 2 u32 = DSCP mask */
	O_SETDSCP, /* arg1=DSCP value */

	+ O_SETTTL, /* set ttl of the packet to arg1 */
	+
	O_LAST_OPCODE /* not an opcode! */
	};

	Index: sys/netpfil/ipfw/ip_fw2.c
	===================================================================
	--- sys/netpfil/ipfw/ip_fw2.c (revision 254904)
	+++ sys/netpfil/ipfw/ip_fw2.c (working copy)
	@@ -2401,7 +2401,24 @@
	IPFW_INC_RULE_COUNTER(f, pktlen);
	break;
	}
	+
	+ case O_SETTTL: {
	+ uint32_t ttl;

	+ ttl = IP_FW_ARG_TABLEARG(cmd->arg1);
	+ if (ttl > 255)
	+ ttl = 255;
	+ if (is_ipv4)
	+ ip->ip_ttl = ttl;
	+ else if (is_ipv6)
	+ ((struct ip6_hdr *)ip)->ip6_hlim = ttl;
	+ else
	+ break;
	+
	+ IPFW_INC_RULE_COUNTER(f, pktlen);
	+ break;
	+ }
	+
	case O_NAT:
	if (!IPFW_NAT_LOADED) {
	retval = IP_FW_DENY;
No results found