From owner-cvs-all@FreeBSD.ORG  Fri May  7 00:20:31 2004
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 680)
	id CEE9C16A4CF; Fri,  7 May 2004 00:20:31 -0700 (PDT)
Date: Fri, 7 May 2004 00:20:31 -0700
From: Darren Reed <darrenr@hub.freebsd.org>
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	Andre Oppermann <andre@FreeBSD.org>, src-committers@FreeBSD.org,
	cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Message-ID: <20040507072031.GA48708@hub.freebsd.org>
References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org>
	<20040506185854.GB1777@madman.celabo.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040506185854.GB1777@madman.celabo.org>
User-Agent: Mutt/1.4.1i
Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2004 07:20:32 -0000

On Thu, May 06, 2004 at 01:58:54PM -0500, Jacques A. Vidrine wrote:
> On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote:
> >   Provide the sysctl net.inet.ip.process_options to control the processing
> >   of IP options.
> >   
> >    net.inet.ip.process_options=0  Ignore IP options and pass packets unmodified.
> >    net.inet.ip.process_options=1  Process all IP options (default).
> >    net.inet.ip.process_options=2  Reject all packets with IP options with ICMP
> >     filter prohibited message.
> >   
> >   This sysctl affects packets destined for the local host as well as those
> >   only transiting through the host (routing).
> >   
> >   IP options do not have any legitimate purpose anymore and are only used
> >   to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
> >   stacks.
> 
> Yay!
> Shall we have the default be `2 Reject all packets with IP options...' ?
> I think so.

It is disturbing to think that with 3 firewall solutions in the kernel,
basic features they provide, such as this, still get implemented as code.

Darren