cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
Jacques A. Vidrine
nectar at FreeBSD.org
Thu May 6 11:58:56 PDT 2004
On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote:
> andre 2004/05/06 11:46:03 PDT
>
> FreeBSD src repository
>
> Modified files:
> sys/netinet ip_fastfwd.c ip_input.c ip_var.h
> Log:
> Provide the sysctl net.inet.ip.process_options to control the processing
> of IP options.
>
> net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified.
> net.inet.ip.process_options=1 Process all IP options (default).
> net.inet.ip.process_options=2 Reject all packets with IP options with ICMP
> filter prohibited message.
>
> This sysctl affects packets destined for the local host as well as those
> only transiting through the host (routing).
>
> IP options do not have any legitimate purpose anymore and are only used
> to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
> stacks.
>
> Reviewed by: sam (mentor)
Yay!
Shall we have the default be `2 Reject all packets with IP options...' ?
I think so.
Cheers,
--
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org
More information about the cvs-src
mailing list