Provide the sysctl net.inet.ip.process_options to control the processing

of IP options.

 net.inet.ip.process_options=0  Ignore IP options and pass packets unmodified.
 net.inet.ip.process_options=1  Process all IP options (default).
 net.inet.ip.process_options=2  Reject all packets with IP options with ICMP
  filter prohibited message.

This sysctl affects packets destined for the local host as well as those
only transiting through the host (routing).

IP options do not have any legitimate purpose anymore and are only used
to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
stacks.

Reviewed by:	sam (mentor)

3 files changed, 24 insertions, 2 deletions

diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 002943a..a73c499 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -292,8 +292,16 @@ ip_fastforward(struct mbuf *m)
 	/*
 	 * Only IP packets without options
 	 */
-	if (ip->ip_hl != (sizeof(struct ip) >> 2))
-		return 0;
+	if (ip->ip_hl != (sizeof(struct ip) >> 2)) {
+		if (ip_doopts == 1)
+			return 0;
+		else if (ip_doopts == 2) {
+			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
+				0, NULL);
+			return 1;
+		}
+		/* else ignore IP options and continue */
+	}
 
 	/*
 	 * Only unicast IP, not from loopback, no L2 or IP broadcast,
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index baf4453..586d1b1 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -110,6 +110,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
     CTLFLAG_RW, &ip_acceptsourceroute, 0, 
     "Enable accepting source routed IP packets");
 
+int		ip_doopts = 1;	/* 0 = ignore, 1 = process, 2 = reject */
+SYSCTL_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW,
+    &ip_doopts, 0, "Enable IP options processing ([LS]SRR, RR, TS)");
+
 static int	ip_keepfaith = 0;
 SYSCTL_INT(_net_inet_ip, IPCTL_KEEPFAITH, keepfaith, CTLFLAG_RW,
 	&ip_keepfaith,	0,
@@ -1287,6 +1291,15 @@ ip_dooptions(struct mbuf *m, int pass, struct sockaddr_in *next_hop)
 	n_time ntime;
 	struct	sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
 
+	/* ignore or reject packets with IP options */
+	if (ip_doopts == 0)
+		return 0;
+	else if (ip_doopts == 2) {
+		type = ICMP_UNREACH;
+		code = ICMP_UNREACH_FILTER_PROHIB;
+		goto bad;
+	}
+
 	dst = ip->ip_dst;
 	cp = (u_char *)(ip + 1);
 	cnt = (ip->ip_hl << 2) - sizeof (struct ip);
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index be83cde..ff616fb 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -147,6 +147,7 @@ extern u_short	ip_id;				/* ip packet ctr, for ids */
 #endif
 extern int	ip_defttl;			/* default IP ttl */
 extern int	ipforwarding;			/* ip forwarding */
+extern int	ip_doopts;			/* process or ignore IP options */
 #ifdef IPSTEALTH
 extern int	ipstealth;			/* stealth forwarding */
 #endif