diff options
| author | Andre Oppermann <andre@FreeBSD.org> | 2004-05-06 18:46:03 +0000 |
|---|---|---|
| committer | Andre Oppermann <andre@FreeBSD.org> | 2004-05-06 18:46:03 +0000 |
| commit | 2bde81acd641009fc7fd168aa4fd9b91d98240a7 (patch) | |
| tree | 22eb8e04c9df14eb5b01b9ef5afdd606f02dc0d8 /sys/netinet/ip_fastfwd.c | |
| parent | b0e2b625f29c18e7dd3deb638a5c3fc66246c9d9 (diff) | |
| download | src-2bde81acd641009fc7fd168aa4fd9b91d98240a7.tar.gz src-2bde81acd641009fc7fd168aa4fd9b91d98240a7.zip | |
Provide the sysctl net.inet.ip.process_options to control the processing
of IP options.
net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified.
net.inet.ip.process_options=1 Process all IP options (default).
net.inet.ip.process_options=2 Reject all packets with IP options with ICMP
filter prohibited message.
This sysctl affects packets destined for the local host as well as those
only transiting through the host (routing).
IP options do not have any legitimate purpose anymore and are only used
to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
stacks.
Reviewed by: sam (mentor)
Notes
Notes:
svn path=/head/; revision=129017
Diffstat (limited to 'sys/netinet/ip_fastfwd.c')
| -rw-r--r-- | sys/netinet/ip_fastfwd.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 002943a301fb..a73c499e17d9 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -292,8 +292,16 @@ ip_fastforward(struct mbuf *m) /* * Only IP packets without options */ - if (ip->ip_hl != (sizeof(struct ip) >> 2)) - return 0; + if (ip->ip_hl != (sizeof(struct ip) >> 2)) { + if (ip_doopts == 1) + return 0; + else if (ip_doopts == 2) { + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB, + 0, NULL); + return 1; + } + /* else ignore IP options and continue */ + } /* * Only unicast IP, not from loopback, no L2 or IP broadcast, |