From 832d1bd18183abf0012f495103d308a9f95ba2c0 Mon Sep 17 00:00:00 2001
From: andre <andre@FreeBSD.org>
Date: Thu, 6 May 2004 18:46:03 +0000
Subject: Provide the sysctl net.inet.ip.process_options to control the
 processing of IP options.

 net.inet.ip.process_options=0  Ignore IP options and pass packets unmodified.
 net.inet.ip.process_options=1  Process all IP options (default).
 net.inet.ip.process_options=2  Reject all packets with IP options with ICMP
  filter prohibited message.

This sysctl affects packets destined for the local host as well as those
only transiting through the host (routing).

IP options do not have any legitimate purpose anymore and are only used
to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
stacks.

Reviewed by:	sam (mentor)
---
 sys/netinet/ip_var.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'sys/netinet/ip_var.h')

diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index be83cde..ff616fb 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -147,6 +147,7 @@ extern u_short	ip_id;				/* ip packet ctr, for ids */
 #endif
 extern int	ip_defttl;			/* default IP ttl */
 extern int	ipforwarding;			/* ip forwarding */
+extern int	ip_doopts;			/* process or ignore IP options */
 #ifdef IPSTEALTH
 extern int	ipstealth;			/* stealth forwarding */
 #endif
-- 
cgit v1.1