cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
sam at errno.com
Fri May 7 07:56:36 PDT 2004
On Friday 07 May 2004 12:20 am, Darren Reed wrote:
> On Thu, May 06, 2004 at 01:58:54PM -0500, Jacques A. Vidrine wrote:
> > On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote:
> > > Provide the sysctl net.inet.ip.process_options to control the
> > > processing of IP options.
> > >
> > > net.inet.ip.process_options=0 Ignore IP options and pass packets
> > > unmodified. net.inet.ip.process_options=1 Process all IP options
> > > (default). net.inet.ip.process_options=2 Reject all packets with IP
> > > options with ICMP filter prohibited message.
> > >
> > > This sysctl affects packets destined for the local host as well as
> > > those only transiting through the host (routing).
> > >
> > > IP options do not have any legitimate purpose anymore and are only
> > > used to circumvent firewalls or to exploit certain behaviours or bugs
> > > in TCP/IP stacks.
> > Yay!
> > Shall we have the default be `2 Reject all packets with IP options...' ?
> > I think so.
> It is disturbing to think that with 3 firewall solutions in the kernel,
> basic features they provide, such as this, still get implemented as code.
Employing a packet filter is not equivalent as it requires every packet to be
processed while this (effectively 7-line change) adds no new overhead to the
normal processing path for packets. It would be nice if packet filtering
were cheap enough that we could use it in this way but I don't think that's
the case just yet.
More information about the cvs-src