From owner-cvs-all@FreeBSD.ORG  Thu May  6 11:46:03 2004
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AF54616A4CF; Thu,  6 May 2004 11:46:03 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 7CF1643D2F; Thu,  6 May 2004 11:46:03 -0700 (PDT)
	(envelope-from andre@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.10/8.12.10) with ESMTP id i46Ik3Ge060970;
	Thu, 6 May 2004 11:46:03 -0700 (PDT)
	(envelope-from andre@repoman.freebsd.org)
Received: (from andre@localhost)
	by repoman.freebsd.org (8.12.10/8.12.10/Submit) id i46Ik3Jc060969;
	Thu, 6 May 2004 11:46:03 -0700 (PDT)
	(envelope-from andre)
Message-Id: <200405061846.i46Ik3Jc060969@repoman.freebsd.org>
From: Andre Oppermann <andre@FreeBSD.org>
Date: Thu, 6 May 2004 11:46:03 -0700 (PDT)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2004 18:46:03 -0000

andre       2004/05/06 11:46:03 PDT

  FreeBSD src repository

  Modified files:
    sys/netinet          ip_fastfwd.c ip_input.c ip_var.h 
  Log:
  Provide the sysctl net.inet.ip.process_options to control the processing
  of IP options.
  
   net.inet.ip.process_options=0  Ignore IP options and pass packets unmodified.
   net.inet.ip.process_options=1  Process all IP options (default).
   net.inet.ip.process_options=2  Reject all packets with IP options with ICMP
    filter prohibited message.
  
  This sysctl affects packets destined for the local host as well as those
  only transiting through the host (routing).
  
  IP options do not have any legitimate purpose anymore and are only used
  to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
  stacks.
  
  Reviewed by:    sam (mentor)
  
  Revision  Changes    Path
  1.11      +10 -2     src/sys/netinet/ip_fastfwd.c
  1.271     +13 -0     src/sys/netinet/ip_input.c
  1.87      +1 -0      src/sys/netinet/ip_var.h