cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
Andre Oppermann
andre at freebsd.org
Thu May 6 12:17:38 PDT 2004
"Jacques A. Vidrine" wrote:
>
> On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote:
> > andre 2004/05/06 11:46:03 PDT
> >
> > FreeBSD src repository
> >
> > Modified files:
> > sys/netinet ip_fastfwd.c ip_input.c ip_var.h
> > Log:
> > Provide the sysctl net.inet.ip.process_options to control the processing
> > of IP options.
> >
> > net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified.
> > net.inet.ip.process_options=1 Process all IP options (default).
> > net.inet.ip.process_options=2 Reject all packets with IP options with ICMP
> > filter prohibited message.
> >
> > This sysctl affects packets destined for the local host as well as those
> > only transiting through the host (routing).
> >
> > IP options do not have any legitimate purpose anymore and are only used
> > to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
> > stacks.
> >
> > Reviewed by: sam (mentor)
>
> Yay!
> Shall we have the default be `2 Reject all packets with IP options...' ?
> I think so.
Please restate your opinion in the separate thread I just started on -current
and -net. :-)
--
Andre
More information about the cvs-src
mailing list