diff options
| author | mdodd <mdodd@FreeBSD.org> | 2003-04-01 08:21:44 +0000 |
|---|---|---|
| committer | mdodd <mdodd@FreeBSD.org> | 2003-04-01 08:21:44 +0000 |
| commit | e72fdee732ab55fc784034c81ccedda4b5279816 (patch) | |
| tree | f90a5d7ffe2a0b6602c7942defa8707719f90a9c /share | |
| parent | 0bafba46a2e8ee2d4fd220f149d08306f11d0f4d (diff) | |
| download | FreeBSD-src-e72fdee732ab55fc784034c81ccedda4b5279816.zip FreeBSD-src-e72fdee732ab55fc784034c81ccedda4b5279816.tar.gz | |
Implement support for RFC 3514 (The Security Flag in the IPv4 Header).
(See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)
This fulfills the host requirements for userland support by
way of the setsockopt() IP_EVIL_INTENT message.
There are three sysctl tunables provided to govern system behavior.
net.inet.ip.rfc3514:
Enables support for rfc3514. As this is an
Informational RFC and support is not yet widespread
this option is disabled by default.
net.inet.ip.hear_no_evil
If set the host will discard all received evil packets.
net.inet.ip.speak_no_evil
If set the host will discard all transmitted evil packets.
The IP statistics counter 'ips_evil' (available via 'netstat') provides
information on the number of 'evil' packets recieved.
For reference, the '-E' option to 'ping' has been provided to demonstrate
and test the implementation.
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man4/inet.4 | 11 | ||||
| -rw-r--r-- | share/man/man4/ip.4 | 9 |
2 files changed, 20 insertions, 0 deletions
diff --git a/share/man/man4/inet.4 b/share/man/man4/inet.4 index d15c204..3cf03f8 100644 --- a/share/man/man4/inet.4 +++ b/share/man/man4/inet.4 @@ -261,6 +261,17 @@ adaptation described above. .Pq ip.rtmaxcache Integer: trigger level of cached, unreferenced, protocol-cloned routes which initiates dynamic adaptation (default 128). +.It Dv IPCTL_RFC3514 +.Pq ip.rfc3514 +Boolean: Enable support for RFC3514. Defaults to off. +.It Dv IPCTL_SPEAK_NO_EVIL +.Pq ip.speak_no_evil +Boolean: Prevent the transmission of RFC3514 (EVIL) packets. +Defaults to off. +.It Dv IPCTL_HEAR_NO_EVIL +.Pq ip.hear_no_evil +Boolean: Prevent the reception of RFC3514 (EVIL) packets. +Defaults to off. .El .Sh SEE ALSO .Xr ioctl 2 , diff --git a/share/man/man4/ip.4 b/share/man/man4/ip.4 index 7130014..4896214 100644 --- a/share/man/man4/ip.4 +++ b/share/man/man4/ip.4 @@ -164,6 +164,15 @@ control message from can be used directly as a control message for .Xr sendmsg 2 . .Pp +.Dv IP_EVIL_INTENT can be used to specify that IP packets should have their +EVIL option set as per RFC3514. +The cmsghdr fields should have the following values: +.Bd -literal +cmsg_len = sizeof(struct in_addr) +cmsg_level = IPPROTO_IP +cmsg_type = IP_EVIL_INTENT +.Ed +.Pp .Dv IP_PORTRANGE may be used to set the port range used for selecting a local port number on a socket with an unspecified (zero) port number. |
