cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h

Jacques A. Vidrine nectar at FreeBSD.org
Thu May 6 11:58:56 PDT 2004


On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote:
> andre       2004/05/06 11:46:03 PDT
> 
>   FreeBSD src repository
> 
>   Modified files:
>     sys/netinet          ip_fastfwd.c ip_input.c ip_var.h 
>   Log:
>   Provide the sysctl net.inet.ip.process_options to control the processing
>   of IP options.
>   
>    net.inet.ip.process_options=0  Ignore IP options and pass packets unmodified.
>    net.inet.ip.process_options=1  Process all IP options (default).
>    net.inet.ip.process_options=2  Reject all packets with IP options with ICMP
>     filter prohibited message.
>   
>   This sysctl affects packets destined for the local host as well as those
>   only transiting through the host (routing).
>   
>   IP options do not have any legitimate purpose anymore and are only used
>   to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
>   stacks.
>   
>   Reviewed by:    sam (mentor)

Yay!
Shall we have the default be `2 Reject all packets with IP options...' ?
I think so.

Cheers,
-- 
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org


More information about the cvs-src mailing list