Date: Wed, 19 Dec 2001 13:49:24 -0500 From: "Michael R. Wayne" <wayne@staff.msen.com> To: hackers@FreeBSD.ORG Subject: Re: Processing IP options reveals IPSTEALH router Message-ID: <20011219134924.B2269@staff.msen.com> In-Reply-To: <20011219173313.C54315@sunbay.com>; from ru@FreeBSD.ORG on Wed, Dec 19, 2001 at 05:33:13PM %2B0200 References: <20011219181929.A20425@comp.chem.msu.su> <20011219173313.C54315@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Given the amount of code that IPSTEALTH adds (only a few lines), eliminating it as a compile time option and making it a knob is a win. Also, I know that there is an issue for system using cards from ETinc: enabling IPSTEALTH causes them to panic. ETinc has taken the stand that this feature is not supported as it is not in the base release. I'd like to see that objection go away. /\/\ \/\/ On Wed, Dec 19, 2001 at 05:33:13PM +0200, Ruslan Ermilov wrote: > On Wed, Dec 19, 2001 at 06:19:29PM +0300, Yar Tikhiy wrote: > > > > I ran into an absolutely clear, but year-old PR pointing out that > > a router in the IPSTEALTH mode will reveal itself when processing > > IP options: kern/23123. > > > > The fix proposed seems clean and right to me: don't do IP options > > at all when in the IPSTEALTH mode. Does anyone have objections? > > If no, I'll commit the fix. > > > What if the packet is directed to us? I think we should still > process options in this case, and the patch in the PR doesn't > seem to do it. > > <PS> > I was going to replace IPSTEALTH functionality with the > net.inet.ip.decttl knob. Setting it to 0 would match the > IPSTEALTH behavior, the default value will be 1. > </PS> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219134924.B2269>