cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
Darren Reed
darrenr at hub.freebsd.org
Fri May 7 00:20:32 PDT 2004
On Thu, May 06, 2004 at 01:58:54PM -0500, Jacques A. Vidrine wrote:
> On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote:
> > Provide the sysctl net.inet.ip.process_options to control the processing
> > of IP options.
> >
> > net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified.
> > net.inet.ip.process_options=1 Process all IP options (default).
> > net.inet.ip.process_options=2 Reject all packets with IP options with ICMP
> > filter prohibited message.
> >
> > This sysctl affects packets destined for the local host as well as those
> > only transiting through the host (routing).
> >
> > IP options do not have any legitimate purpose anymore and are only used
> > to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
> > stacks.
>
> Yay!
> Shall we have the default be `2 Reject all packets with IP options...' ?
> I think so.
It is disturbing to think that with 3 firewall solutions in the kernel,
basic features they provide, such as this, still get implemented as code.
Darren
More information about the cvs-all
mailing list