From owner-freebsd-hackers  Wed Dec 19 10:49:50 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from manor.msen.com (manor.msen.com [148.59.4.66])
	by hub.freebsd.org (Postfix) with ESMTP id 52AEA37B41A
	for <hackers@FreeBSD.ORG>; Wed, 19 Dec 2001 10:49:25 -0800 (PST)
Received: (from wayne@localhost)
	by manor.msen.com (8.9.3/8.9.3) id NAA11252
	for hackers@FreeBSD.ORG; Wed, 19 Dec 2001 13:49:24 -0500 (EST)
	(envelope-from wayne)
Date: Wed, 19 Dec 2001 13:49:24 -0500
From: "Michael R. Wayne" <wayne@staff.msen.com>
To: hackers@FreeBSD.ORG
Subject: Re: Processing IP options reveals IPSTEALH router
Message-ID: <20011219134924.B2269@staff.msen.com>
References: <20011219181929.A20425@comp.chem.msu.su> <20011219173313.C54315@sunbay.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <20011219173313.C54315@sunbay.com>; from ru@FreeBSD.ORG on Wed, Dec 19, 2001 at 05:33:13PM +0200
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Given the amount of code that IPSTEALTH adds (only a few lines),
eliminating it as a compile time option and making it a knob is a
win.  Also, I know that there is an issue for system using cards
from ETinc:  enabling IPSTEALTH causes them to panic.  ETinc has
taken the stand that this feature is not supported as it is not in
the base release.  I'd like to see that objection go away.

/\/\ \/\/



On Wed, Dec 19, 2001 at 05:33:13PM +0200, Ruslan Ermilov wrote:
> On Wed, Dec 19, 2001 at 06:19:29PM +0300, Yar Tikhiy wrote:
> > 
> > I ran into an absolutely clear, but year-old PR pointing out that
> > a router in the IPSTEALTH mode will reveal itself when processing
> > IP options: kern/23123.
> > 
> > The fix proposed seems clean and right to me: don't do IP options
> > at all when in the IPSTEALTH mode.  Does anyone have objections?
> > If no, I'll commit the fix.
> > 
> What if the packet is directed to us?  I think we should still
> process options in this case, and the patch in the PR doesn't
> seem to do it.
> 
> <PS>
> I was going to replace IPSTEALTH functionality with the
> net.inet.ip.decttl knob.  Setting it to 0 would match the
> IPSTEALTH behavior, the default value will be 1.
> </PS>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message