ipoptions sysctl option

Chris chrcoluk at gmail.com
Fri Apr 1 00:25:41 PST 2005

Hi I read the pdf detailing new changes in 5.3 networking and noticed
a new sysctl variable is added 'net.inet.ip.process_options'

Here is the description.

"IP Options do not have any practical use today. The only useful
application is RR
(Record Route) where it remembers the last 8 hops the packet traversed through.
That allows you to check parts of the path back to you. IP options
processing is rather
expensive because the packet header has to be modified and expanded. In addition
the only other use is to circumvent or trick firewalls thus it is
normally blocked there.
The options are these: (By: andre)
# sysctl net.inet.ip.process_options=0
Possible Modes:
net.inet.ip.process_options=0 Ignore IP options and pass pkts unmodfied
net.inet.ip.process_options=1 Process all IP options (default)
net.inet.ip.process_options=2 Reject all pkts with IP options with ICMP
IPv4 Processing"

As it says above mine is set to 1 the default, would setting it to 0
help with things like DDOS attacks because it is processing less and
what side affects if any could I expect from ignoring ip options?



More information about the freebsd-stable mailing list