From owner-cvs-src@FreeBSD.ORG  Fri May  7 00:56:05 2004
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E913716A4CE; Fri,  7 May 2004 00:56:05 -0700 (PDT)
Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id CD18443D49; Fri,  7 May 2004 00:56:04 -0700 (PDT)
	(envelope-from julian@elischer.org)
Received: from interjet.elischer.org ([24.7.73.28])
          by comcast.net (sccrmhc13) with ESMTP
          id <2004050707560301600t1hque>; Fri, 7 May 2004 07:56:04 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id AAA90936;
	Fri, 7 May 2004 00:56:02 -0700 (PDT)
Date: Fri, 7 May 2004 00:56:01 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Darren Reed <darrenr@hub.freebsd.org>
In-Reply-To: <20040507072031.GA48708@hub.freebsd.org>
Message-ID: <Pine.BSF.4.21.0405070055190.33364-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: "Jacques A. Vidrine" <nectar@FreeBSD.org>
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: Andre Oppermann <andre@FreeBSD.org>
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2004 07:56:06 -0000



On Fri, 7 May 2004, Darren Reed wrote:

> On Thu, May 06, 2004 at 01:58:54PM -0500, Jacques A. Vidrine wrote:
> > On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote:
> > >   Provide the sysctl net.inet.ip.process_options to control the processing
> > >   of IP options.
> > >   
> > >    net.inet.ip.process_options=0  Ignore IP options and pass packets unmodified.
> > >    net.inet.ip.process_options=1  Process all IP options (default).
> > >    net.inet.ip.process_options=2  Reject all packets with IP options with ICMP
> > >     filter prohibited message.
> > >   
> > >   This sysctl affects packets destined for the local host as well as those
> > >   only transiting through the host (routing).
> > >   
> > >   IP options do not have any legitimate purpose anymore and are only used
> > >   to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
> > >   stacks.
> > 
> > Yay!
> > Shall we have the default be `2 Reject all packets with IP options...' ?
> > I think so.
> 
> It is disturbing to think that with 3 firewall solutions in the kernel,
> basic features they provide, such as this, still get implemented as code.
> 

well, reject, yes,
but a firewall can not force the stack to IGNORE options..


> Darren
>