Add net.inet.ip.allowsrcrt option which allows/drops all source

routed packets. This currently defaults to `drop,' but once we verify that all applications that rely on determining remote IP addresses for authentication are dropping the connection when they see a source route option (not just disabling the source route option), we can turn this back on and conform with the host requirements.
1997-02-25 08:35:41 +00:00 · 1997-02-25 08:35:41 +00:00 · 8a449a258b
parent 1e59980d14
commit 8a449a258b
2 changed files with 20 additions and 8 deletions
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@ -1,4 +1,4 @@
-/*	$NetBSD: in.h,v 1.23 1997/01/11 05:21:07 thorpej Exp $	*/
+/*	$NetBSD: in.h,v 1.24 1997/02/25 08:35:41 cjs Exp $	*/

 /*
 * Copyright (c) 1982, 1986, 1990, 1993
@ -244,9 +244,10 @@ struct ip_mreq {
 #ifdef notyet
 #define	IPCTL_DEFMTU		4	/* default MTU */
 #endif
-#define	IPCTL_FORWSRCRT		5	/* allow source-routed packets */
+#define	IPCTL_FORWSRCRT		5	/* forward source-routed packets */
 #define	IPCTL_DIRECTEDBCAST	6	/* default broadcast behavior */
-#define	IPCTL_MAXID		7
+#define	IPCTL_ALLOWSRCRT	7	/* allow/drop all source-routed pkts */
+#define	IPCTL_MAXID		8

 #define	IPCTL_NAMES { \
 	{ 0, 0 }, \
@ -256,6 +257,7 @@ struct ip_mreq {
 	{ "mtu", CTLTYPE_INT }, \
 	{ "forwsrcrt", CTLTYPE_INT }, \
 	{ "directed-broadcast", CTLTYPE_INT }, \
+	{ "allowsrcrt", CTLTYPE_INT }, \
 }


--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.46 1997/02/19 08:30:04 cjs Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.47 1997/02/25 08:35:42 cjs Exp $	*/

 /*
 * Copyright (c) 1982, 1986, 1988, 1993
@ -78,7 +78,10 @@
 #define	IPSENDREDIRECTS	1
 #endif
 #ifndef IPFORWSRCRT
-#define	IPFORWSRCRT	1	/* allow source-routed packets */
+#define	IPFORWSRCRT	1	/* forward source-routed packets */
+#endif
+#ifndef IPALLOWSRCRT
+#define	IPALLOWSRCRT	0	/* reject all source-routed packets */
 #endif
 /*
 * Note: DIRECTED_BROADCAST is handled this way so that previous
@ -96,6 +99,7 @@ int	ipsendredirects = IPSENDREDIRECTS;
 int	ip_defttl = IPDEFTTL;
 int	ip_forwsrcrt = IPFORWSRCRT;
 int	ip_directedbcast = IPDIRECTEDBCAST;
+int	ip_allowsrcrt = IPALLOWSRCRT;
 #ifdef DIAGNOSTIC
 int	ipprintfs = 0;
 #endif
@ -711,6 +715,11 @@ ip_dooptions(m)
 		 */
 		case IPOPT_LSRR:
 		case IPOPT_SSRR:
+			if (ip_allowsrcrt == 0) {
+				type = ICMP_UNREACH;
+				code = ICMP_UNREACH_NET_PROHIB;
+				goto bad;
+			}
 			if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
 				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
 				goto bad;
@ -1248,9 +1257,7 @@ ip_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
 		return (sysctl_int(oldp, oldlenp, newp, newlen, &ip_mtu));
 #endif
 	case IPCTL_FORWSRCRT:
-		/*
-		 * Don't allow this to change in a secure environment.
-		 */
+		/* Don't allow this to change in a secure environment.  */
 		if (securelevel > 0)
 			return (sysctl_rdint(oldp, oldlenp, newp,
 			    ip_forwsrcrt));
@ -1260,6 +1267,9 @@ ip_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
 	case IPCTL_DIRECTEDBCAST:
 		return (sysctl_int(oldp, oldlenp, newp, newlen,
 		    &ip_directedbcast));
+	case IPCTL_ALLOWSRCRT:
+		return (sysctl_int(oldp, oldlenp, newp, newlen,
+		    &ip_allowsrcrt));
 	default:
 		return (EOPNOTSUPP);
 	}