diff options
author | mdodd <mdodd@FreeBSD.org> | 2003-04-01 08:21:44 +0000 |
---|---|---|
committer | mdodd <mdodd@FreeBSD.org> | 2003-04-01 08:21:44 +0000 |
commit | e72fdee732ab55fc784034c81ccedda4b5279816 (patch) | |
tree | f90a5d7ffe2a0b6602c7942defa8707719f90a9c /sys/netinet/ip_input.c | |
parent | 0bafba46a2e8ee2d4fd220f149d08306f11d0f4d (diff) | |
download | FreeBSD-src-e72fdee732ab55fc784034c81ccedda4b5279816.zip FreeBSD-src-e72fdee732ab55fc784034c81ccedda4b5279816.tar.gz |
Implement support for RFC 3514 (The Security Flag in the IPv4 Header).
(See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)
This fulfills the host requirements for userland support by
way of the setsockopt() IP_EVIL_INTENT message.
There are three sysctl tunables provided to govern system behavior.
net.inet.ip.rfc3514:
Enables support for rfc3514. As this is an
Informational RFC and support is not yet widespread
this option is disabled by default.
net.inet.ip.hear_no_evil
If set the host will discard all received evil packets.
net.inet.ip.speak_no_evil
If set the host will discard all transmitted evil packets.
The IP statistics counter 'ips_evil' (available via 'netstat') provides
information on the number of 'evil' packets recieved.
For reference, the '-E' option to 'ping' has been provided to demonstrate
and test the implementation.
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r-- | sys/netinet/ip_input.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index e26cc8d..8b130f5 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -134,6 +134,11 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW, &ip_sendsourcequench, 0, "Enable the transmission of source quench packets"); +static int hear_no_evil = 0; +SYSCTL_INT(_net_inet_ip, OID_AUTO, hear_no_evil, CTLFLAG_RW, + &hear_no_evil, 0, + "Drop all received EVIL packets."); + /* * XXX - Setting ip_checkinterface mostly implements the receive side of * the Strong ES model described in RFC 1122, but since the routing table @@ -407,6 +412,15 @@ ip_input(struct mbuf *m) ip->ip_off = ntohs(ip->ip_off); /* + * Check for RFC3514 (EVIL) packets. + */ + if (ip->ip_off & IP_EVIL) { + ipstat.ips_evil++; + if (hear_no_evil) + goto bad; + } + + /* * Check that the amount of data in the buffers * is as at least much as the IP header would have us expect. * Trim mbufs if longer than we expect. |