From owner-cvs-src@FreeBSD.ORG Fri May 7 07:56:36 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F36016A4CE; Fri, 7 May 2004 07:56:36 -0700 (PDT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04FF843D1F; Fri, 7 May 2004 07:56:36 -0700 (PDT) (envelope-from sam@errno.com) Received: from [66.127.85.91] ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id i47EuZWR003946 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 7 May 2004 07:56:35 -0700 (PDT) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: Darren Reed Date: Fri, 7 May 2004 07:55:36 -0700 User-Agent: KMail/1.6.1 References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <20040506185854.GB1777@madman.celabo.org> <20040507072031.GA48708@hub.freebsd.org> In-Reply-To: <20040507072031.GA48708@hub.freebsd.org> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200405070755.36055.sam@errno.com> cc: "Jacques A. Vidrine" cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: Andre Oppermann cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2004 14:56:36 -0000 On Friday 07 May 2004 12:20 am, Darren Reed wrote: > On Thu, May 06, 2004 at 01:58:54PM -0500, Jacques A. Vidrine wrote: > > On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote: > > > Provide the sysctl net.inet.ip.process_options to control the > > > processing of IP options. > > > > > > net.inet.ip.process_options=0 Ignore IP options and pass packets > > > unmodified. net.inet.ip.process_options=1 Process all IP options > > > (default). net.inet.ip.process_options=2 Reject all packets with IP > > > options with ICMP filter prohibited message. > > > > > > This sysctl affects packets destined for the local host as well as > > > those only transiting through the host (routing). > > > > > > IP options do not have any legitimate purpose anymore and are only > > > used to circumvent firewalls or to exploit certain behaviours or bugs > > > in TCP/IP stacks. > > > > Yay! > > Shall we have the default be `2 Reject all packets with IP options...' ? > > I think so. > > It is disturbing to think that with 3 firewall solutions in the kernel, > basic features they provide, such as this, still get implemented as code. Employing a packet filter is not equivalent as it requires every packet to be processed while this (effectively 7-line change) adds no new overhead to the normal processing path for packets. It would be nice if packet filtering were cheap enough that we could use it in this way but I don't think that's the case just yet. Sam