Date: Thu, 06 May 2004 21:17:34 +0200 From: Andre Oppermann <andre@freebsd.org> To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h Message-ID: <409A8F4E.3B35DA9F@freebsd.org> References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <20040506185854.GB1777@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jacques A. Vidrine" wrote: > > On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote: > > andre 2004/05/06 11:46:03 PDT > > > > FreeBSD src repository > > > > Modified files: > > sys/netinet ip_fastfwd.c ip_input.c ip_var.h > > Log: > > Provide the sysctl net.inet.ip.process_options to control the processing > > of IP options. > > > > net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified. > > net.inet.ip.process_options=1 Process all IP options (default). > > net.inet.ip.process_options=2 Reject all packets with IP options with ICMP > > filter prohibited message. > > > > This sysctl affects packets destined for the local host as well as those > > only transiting through the host (routing). > > > > IP options do not have any legitimate purpose anymore and are only used > > to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP > > stacks. > > > > Reviewed by: sam (mentor) > > Yay! > Shall we have the default be `2 Reject all packets with IP options...' ? > I think so. Please restate your opinion in the separate thread I just started on -current and -net. :-) -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?409A8F4E.3B35DA9F>