summaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ip_fastfwd.c12
-rw-r--r--sys/netinet/ip_input.c13
-rw-r--r--sys/netinet/ip_var.h1
3 files changed, 24 insertions, 2 deletions
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 002943a..a73c499 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -292,8 +292,16 @@ ip_fastforward(struct mbuf *m)
/*
* Only IP packets without options
*/
- if (ip->ip_hl != (sizeof(struct ip) >> 2))
- return 0;
+ if (ip->ip_hl != (sizeof(struct ip) >> 2)) {
+ if (ip_doopts == 1)
+ return 0;
+ else if (ip_doopts == 2) {
+ icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
+ 0, NULL);
+ return 1;
+ }
+ /* else ignore IP options and continue */
+ }
/*
* Only unicast IP, not from loopback, no L2 or IP broadcast,
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index baf4453..586d1b1 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -110,6 +110,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
CTLFLAG_RW, &ip_acceptsourceroute, 0,
"Enable accepting source routed IP packets");
+int ip_doopts = 1; /* 0 = ignore, 1 = process, 2 = reject */
+SYSCTL_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW,
+ &ip_doopts, 0, "Enable IP options processing ([LS]SRR, RR, TS)");
+
static int ip_keepfaith = 0;
SYSCTL_INT(_net_inet_ip, IPCTL_KEEPFAITH, keepfaith, CTLFLAG_RW,
&ip_keepfaith, 0,
@@ -1287,6 +1291,15 @@ ip_dooptions(struct mbuf *m, int pass, struct sockaddr_in *next_hop)
n_time ntime;
struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
+ /* ignore or reject packets with IP options */
+ if (ip_doopts == 0)
+ return 0;
+ else if (ip_doopts == 2) {
+ type = ICMP_UNREACH;
+ code = ICMP_UNREACH_FILTER_PROHIB;
+ goto bad;
+ }
+
dst = ip->ip_dst;
cp = (u_char *)(ip + 1);
cnt = (ip->ip_hl << 2) - sizeof (struct ip);
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index be83cde..ff616fb 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -147,6 +147,7 @@ extern u_short ip_id; /* ip packet ctr, for ids */
#endif
extern int ip_defttl; /* default IP ttl */
extern int ipforwarding; /* ip forwarding */
+extern int ip_doopts; /* process or ignore IP options */
#ifdef IPSTEALTH
extern int ipstealth; /* stealth forwarding */
#endif
OpenPOWER on IntegriCloud