diff options
-rw-r--r-- | sys/netinet/ip_fastfwd.c | 12 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 13 | ||||
-rw-r--r-- | sys/netinet/ip_var.h | 1 |
3 files changed, 24 insertions, 2 deletions
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 002943a..a73c499 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -292,8 +292,16 @@ ip_fastforward(struct mbuf *m) /* * Only IP packets without options */ - if (ip->ip_hl != (sizeof(struct ip) >> 2)) - return 0; + if (ip->ip_hl != (sizeof(struct ip) >> 2)) { + if (ip_doopts == 1) + return 0; + else if (ip_doopts == 2) { + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB, + 0, NULL); + return 1; + } + /* else ignore IP options and continue */ + } /* * Only unicast IP, not from loopback, no L2 or IP broadcast, diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index baf4453..586d1b1 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -110,6 +110,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute, CTLFLAG_RW, &ip_acceptsourceroute, 0, "Enable accepting source routed IP packets"); +int ip_doopts = 1; /* 0 = ignore, 1 = process, 2 = reject */ +SYSCTL_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW, + &ip_doopts, 0, "Enable IP options processing ([LS]SRR, RR, TS)"); + static int ip_keepfaith = 0; SYSCTL_INT(_net_inet_ip, IPCTL_KEEPFAITH, keepfaith, CTLFLAG_RW, &ip_keepfaith, 0, @@ -1287,6 +1291,15 @@ ip_dooptions(struct mbuf *m, int pass, struct sockaddr_in *next_hop) n_time ntime; struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; + /* ignore or reject packets with IP options */ + if (ip_doopts == 0) + return 0; + else if (ip_doopts == 2) { + type = ICMP_UNREACH; + code = ICMP_UNREACH_FILTER_PROHIB; + goto bad; + } + dst = ip->ip_dst; cp = (u_char *)(ip + 1); cnt = (ip->ip_hl << 2) - sizeof (struct ip); diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index be83cde..ff616fb 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -147,6 +147,7 @@ extern u_short ip_id; /* ip packet ctr, for ids */ #endif extern int ip_defttl; /* default IP ttl */ extern int ipforwarding; /* ip forwarding */ +extern int ip_doopts; /* process or ignore IP options */ #ifdef IPSTEALTH extern int ipstealth; /* stealth forwarding */ #endif |