From owner-freebsd-hackers Wed Dec 19 7:33:49 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 200F037B416; Wed, 19 Dec 2001 07:33:25 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fBJFXDd60549; Wed, 19 Dec 2001 17:33:13 +0200 (EET) (envelope-from ru) Date: Wed, 19 Dec 2001 17:33:13 +0200 From: Ruslan Ermilov To: Yar Tikhiy Cc: net@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: Processing IP options reveals IPSTEALH router Message-ID: <20011219173313.C54315@sunbay.com> References: <20011219181929.A20425@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011219181929.A20425@comp.chem.msu.su> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Dec 19, 2001 at 06:19:29PM +0300, Yar Tikhiy wrote: > Hi there, > > I ran into an absolutely clear, but year-old PR pointing out that > a router in the IPSTEALTH mode will reveal itself when processing > IP options: kern/23123. > > The fix proposed seems clean and right to me: don't do IP options > at all when in the IPSTEALTH mode. Does anyone have objections? > If no, I'll commit the fix. > What if the packet is directed to us? I think we should still process options in this case, and the patch in the PR doesn't seem to do it. I was going to replace IPSTEALTH functionality with the net.inet.ip.decttl knob. Setting it to 0 would match the IPSTEALTH behavior, the default value will be 1. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message