Implement support for RFC 3514 (The Security Flag in the IPv4 Header).

(See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)

This fulfills the host requirements for userland support by
way of the setsockopt() IP_EVIL_INTENT message.

There are three sysctl tunables provided to govern system behavior.

	net.inet.ip.rfc3514:

		Enables support for rfc3514.  As this is an
		Informational RFC and support is not yet widespread
		this option is disabled by default.

	net.inet.ip.hear_no_evil

		 If set the host will discard all received evil packets.

	net.inet.ip.speak_no_evil

		If set the host will discard all transmitted evil packets.

The IP statistics counter 'ips_evil' (available via 'netstat') provides
information on the number of 'evil' packets recieved.

For reference, the '-E' option to 'ping' has been provided to demonstrate
and test the implementation.

1 files changed, 14 insertions, 0 deletions

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index e26cc8d..8b130f5 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -134,6 +134,11 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW,
 	&ip_sendsourcequench, 0,
 	"Enable the transmission of source quench packets");
 
+static int	hear_no_evil = 0;
+SYSCTL_INT(_net_inet_ip, OID_AUTO, hear_no_evil, CTLFLAG_RW,
+	&hear_no_evil, 0,
+	"Drop all received EVIL packets.");
+
 /*
  * XXX - Setting ip_checkinterface mostly implements the receive side of
  * the Strong ES model described in RFC 1122, but since the routing table
@@ -407,6 +412,15 @@ ip_input(struct mbuf *m)
 	ip->ip_off = ntohs(ip->ip_off);
 
 	/*
+	 * Check for RFC3514 (EVIL) packets.
+	 */
+	if (ip->ip_off & IP_EVIL) {
+		ipstat.ips_evil++;
+		if (hear_no_evil)
+			goto bad;
+	}
+
+	/*
 	 * Check that the amount of data in the buffers
 	 * is as at least much as the IP header would have us expect.
 	 * Trim mbufs if longer than we expect.