Default behaviour of IP Options processing

Sam Leffler sam at errno.com
Thu May 6 16:54:46 PDT 2004


On Thursday 06 May 2004 04:06 pm, Julian Elischer wrote:
> On Thu, 6 May 2004, David W. Chapman Jr. wrote:
> > > You mean ip options not tcp, right?  I do not understant why we
> > > invent a new mechanism if we already have one.  Put an example in
> > > /etc/rc.firewall.
> >
> > Yes, I stand corrected, ip option it is :)
> >
> > > You mean "more obscure", right?  Where net.inet.ip.process_options
> > > documented?  How does it operate with f.e. IPSTEALTH?
> >
> > I definitely agree it should be documented, but that's just a minor
> > detail which can be easily taken care of.
>
> I know these are "options" but what does the standards say about not
> supporting them.. ? (I have seen non optional options before :-)
>
> also I dislike the all-or-nothing mechanism
> I would rather see:
> net.inet.ip.options.RR: 1
> net.inet.ip.options.TS: 0
> net.inet.ip.options.SECURITY 0
> net.inet.ip.options.LSRR: 0
> net.inet.ip.options.SATID: 0
> net.inet.ip.options.SSRR: 0
> net.inet.ip.options.RA: 0
>
> where options we DON'T support exist and are stuck at 0.
>
> or maybe even:
> net.inet.ip.options.RecordRoute: 1
> net.inet.ip.options.TimeStamp: 0
> etc.
>
> if they are usually turned off then the test would only be done if that
> option exists and it would still be faster that actually doing the
> option.

For fine-grained selection packet filtering is the better solution.  This is a 
simple, much lighterweight, mechanism that doesn't require touching every 
packet.

	Sam


More information about the freebsd-net mailing list