Date: Fri, 29 Apr 2005 14:18:24 -0700 From: Julian Elischer <julian@elischer.org> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: GiZmen <gizmen@zion.vsip.pl> Subject: Re: Changing packets ttl's Message-ID: <4272A4A0.4010601@elischer.org> In-Reply-To: <20050429090721.GT91329@obiwan.tataz.chchile.org> References: <20050426225230.GA61019@procent.t2.ds.pwr.wroc.pl> <20050427085629.S3686@Neo-Vortex.net> <20050428193931.GA78277@swordfish.vsip.net> <20050429090721.GT91329@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremie Le Hen wrote: >Hi, > > > >>No this sysctl is not what i want. >>I need to change ttl of outgoing packets to my internal network. >>For example. There is connection from host on internet. >>it has for example 10 hops to my gateway. And when packet comes >>to my box it has for example 55 ttl in ip header. >>And then it is routed to host in my network so my box change ttl >>to 54. But what i need is change ttl to '1'. >> >> > >In Linux terms, you want to ``mangle'' the packet, we-writing its TTL. >AFAIK, this is not possible with FreeBSD since this is really not a >common action for a firewall (some conservative folks would even argue >this is not its job). The pf firewall seems to have a ``min-ttl'' >statement in traffic normalization, but there is no ``max-ttl'' one. > >The simplest way to achieve this is to write a userland daemon which >will retrieve the packet from the firewall from a divert socket, using >ipfw(8). But this would have very poor performances in case you need >high-bandwidth traffic as each packet would require at least two >context switches, but for a DSL connexion, I guess this would be ok. > > Your assertion that the diverted packets add a lot of latency is not quite true. While it is slower than in-kernel processing, it is not nearly as bad as some people make out. Certainly it can keep up with the average internet connection. I would add code to do the mangling into a program such as natd and set it up to do no translation (or a null translation). Alternatively there is a much simpler daemon that connects in the same way. In ports look for net/tcpmssd, which already does 99% of what you want. it would be about a 20 line change to tcpmssd to do this. It already fiddles other packets. >There other solution is to make a patch for one of the firewall >avaiable in FreeBSD. > >Best regards, > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4272A4A0.4010601>