From owner-freebsd-net@FreeBSD.ORG Fri Apr 29 21:18:25 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C0FA16A4CE for ; Fri, 29 Apr 2005 21:18:25 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A8E343D45 for ; Fri, 29 Apr 2005 21:18:25 +0000 (GMT) (envelope-from julian@elischer.org) Received: from [208.206.78.97] (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id CB8937A403; Fri, 29 Apr 2005 14:18:24 -0700 (PDT) Message-ID: <4272A4A0.4010601@elischer.org> Date: Fri, 29 Apr 2005 14:18:24 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050423 X-Accept-Language: en, hu MIME-Version: 1.0 To: Jeremie Le Hen References: <20050426225230.GA61019@procent.t2.ds.pwr.wroc.pl> <20050427085629.S3686@Neo-Vortex.net> <20050428193931.GA78277@swordfish.vsip.net> <20050429090721.GT91329@obiwan.tataz.chchile.org> In-Reply-To: <20050429090721.GT91329@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: GiZmen Subject: Re: Changing packets ttl's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2005 21:18:25 -0000 Jeremie Le Hen wrote: >Hi, > > > >>No this sysctl is not what i want. >>I need to change ttl of outgoing packets to my internal network. >>For example. There is connection from host on internet. >>it has for example 10 hops to my gateway. And when packet comes >>to my box it has for example 55 ttl in ip header. >>And then it is routed to host in my network so my box change ttl >>to 54. But what i need is change ttl to '1'. >> >> > >In Linux terms, you want to ``mangle'' the packet, we-writing its TTL. >AFAIK, this is not possible with FreeBSD since this is really not a >common action for a firewall (some conservative folks would even argue >this is not its job). The pf firewall seems to have a ``min-ttl'' >statement in traffic normalization, but there is no ``max-ttl'' one. > >The simplest way to achieve this is to write a userland daemon which >will retrieve the packet from the firewall from a divert socket, using >ipfw(8). But this would have very poor performances in case you need >high-bandwidth traffic as each packet would require at least two >context switches, but for a DSL connexion, I guess this would be ok. > > Your assertion that the diverted packets add a lot of latency is not quite true. While it is slower than in-kernel processing, it is not nearly as bad as some people make out. Certainly it can keep up with the average internet connection. I would add code to do the mangling into a program such as natd and set it up to do no translation (or a null translation). Alternatively there is a much simpler daemon that connects in the same way. In ports look for net/tcpmssd, which already does 99% of what you want. it would be about a 20 line change to tcpmssd to do this. It already fiddles other packets. >There other solution is to make a patch for one of the firewall >avaiable in FreeBSD. > >Best regards, > >