Date: Thu, 6 May 2004 13:58:54 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Andre Oppermann <andre@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h Message-ID: <20040506185854.GB1777@madman.celabo.org> In-Reply-To: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote: > andre 2004/05/06 11:46:03 PDT > > FreeBSD src repository > > Modified files: > sys/netinet ip_fastfwd.c ip_input.c ip_var.h > Log: > Provide the sysctl net.inet.ip.process_options to control the processing > of IP options. > > net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified. > net.inet.ip.process_options=1 Process all IP options (default). > net.inet.ip.process_options=2 Reject all packets with IP options with ICMP > filter prohibited message. > > This sysctl affects packets destined for the local host as well as those > only transiting through the host (routing). > > IP options do not have any legitimate purpose anymore and are only used > to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP > stacks. > > Reviewed by: sam (mentor) Yay! Shall we have the default be `2 Reject all packets with IP options...' ? I think so. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040506185854.GB1777>