diff options
author | Matthew N. Dodd <mdodd@FreeBSD.org> | 2003-04-02 20:14:44 +0000 |
---|---|---|
committer | Matthew N. Dodd <mdodd@FreeBSD.org> | 2003-04-02 20:14:44 +0000 |
commit | 2c56e246fa57e8bd7aa53c0a1ad2f5092fd77106 (patch) | |
tree | 2e9681302fc88cc051f2afb4ca92612f8833c409 /sys/netinet | |
parent | cc76558ad42f65993b4fa5194f62213d07f551e7 (diff) | |
download | src-2c56e246fa57e8bd7aa53c0a1ad2f5092fd77106.tar.gz src-2c56e246fa57e8bd7aa53c0a1ad2f5092fd77106.zip |
Back out support for RFC3514.
RFC3514 poses an unacceptale risk to compliant systems.
Notes
Notes:
svn path=/head/; revision=112985
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/in.h | 2 | ||||
-rw-r--r-- | sys/netinet/in_pcb.h | 1 | ||||
-rw-r--r-- | sys/netinet/ip.h | 1 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 14 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 31 | ||||
-rw-r--r-- | sys/netinet/ip_var.h | 1 |
6 files changed, 1 insertions, 49 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h index 49f83e5b82ad..83eeae78b9d7 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -399,8 +399,6 @@ __END_DECLS #define IP_DUMMYNET_FLUSH 62 /* flush dummynet */ #define IP_DUMMYNET_GET 64 /* get entire dummynet pipes */ -#define IP_EVIL_INTENT 65 /* RFC3514 */ - /* * Defaults and limits for options */ diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index eb02c6e2e71c..efb7862a5407 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -276,7 +276,6 @@ struct inpcbinfo { /* XXX documentation, prefixes */ #define INP_RECVIF 0x80 /* receive incoming interface */ #define INP_MTUDISC 0x100 /* user can do MTU discovery */ #define INP_FAITH 0x200 /* accept FAITH'ed connections */ -#define INP_EVIL 0x400 /* Packet has evil intentions */ #define IN6P_IPV6_V6ONLY 0x008000 /* restrict AF_INET6 socket for v6 */ diff --git a/sys/netinet/ip.h b/sys/netinet/ip.h index 6efdc0cd65c3..24f66ceb24db 100644 --- a/sys/netinet/ip.h +++ b/sys/netinet/ip.h @@ -62,7 +62,6 @@ struct ip { u_short ip_id; /* identification */ u_short ip_off; /* fragment offset field */ #define IP_RF 0x8000 /* reserved fragment flag */ -#define IP_EF 0x8000 /* evil flag, per RFC 3514 */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index e80ea2de7ab6..e26cc8dd55fe 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -134,11 +134,6 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW, &ip_sendsourcequench, 0, "Enable the transmission of source quench packets"); -static int hear_no_evil = 0; -SYSCTL_INT(_net_inet_ip, OID_AUTO, hear_no_evil, CTLFLAG_RW, - &hear_no_evil, 0, - "Drop all received EVIL packets."); - /* * XXX - Setting ip_checkinterface mostly implements the receive side of * the Strong ES model described in RFC 1122, but since the routing table @@ -412,15 +407,6 @@ ip_input(struct mbuf *m) ip->ip_off = ntohs(ip->ip_off); /* - * Check for RFC3514 (EVIL) packets. - */ - if (ip->ip_off & IP_EF) { - ipstat.ips_evil++; - if (hear_no_evil) - goto bad; - } - - /* * Check that the amount of data in the buffers * is as at least much as the IP header would have us expect. * Trim mbufs if longer than we expect. diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 3b715168dbca..c00ac4cd512e 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -101,13 +101,6 @@ int mbuf_frag_size = 0; SYSCTL_INT(_net_inet_ip, OID_AUTO, mbuf_frag_size, CTLFLAG_RW, &mbuf_frag_size, 0, "Fragment outgoing mbufs to this size"); #endif -static int ip_do_rfc3514 = 0; -SYSCTL_INT(_net_inet_ip, OID_AUTO, rfc3514, CTLFLAG_RW, - &ip_do_rfc3514, 0, "IPv4 Header Security Flag Support"); - -static int speak_no_evil = 0; -SYSCTL_INT(_net_inet_ip, OID_AUTO, speak_no_evil, CTLFLAG_RW, - &speak_no_evil, 0, "Drop all EVIL packets before output."); static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); static struct ifnet *ip_multicast_if(struct in_addr *, int *); @@ -235,7 +228,7 @@ ip_output(m0, opt, ro, flags, imo, inp) if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { ip->ip_v = IPVERSION; ip->ip_hl = hlen >> 2; - ip->ip_off &= IP_DF|IP_EF; + ip->ip_off &= IP_DF; #ifdef RANDOM_IP_ID ip->ip_id = ip_randomid(); #else @@ -246,17 +239,6 @@ ip_output(m0, opt, ro, flags, imo, inp) hlen = ip->ip_hl << 2; } - /* RFC3514 */ - if ((inp != NULL) && /* Originated */ - ip_do_rfc3514 && /* Supported */ - ((inp->inp_flags & INP_EVIL) == INP_EVIL)) /* Optioned */ - ip->ip_off |= IP_EF; - - if (speak_no_evil && (ip->ip_off & IP_EF)) { - error = EACCES; - goto bad; - } - #ifdef FAST_IPSEC if (ro == NULL) { ro = &iproute; @@ -1444,7 +1426,6 @@ ip_ctloutput(so, sopt) case IP_RECVDSTADDR: case IP_RECVIF: case IP_FAITH: - case IP_EVIL_INTENT: error = sooptcopyin(sopt, &optval, sizeof optval, sizeof optval); if (error) @@ -1483,12 +1464,6 @@ ip_ctloutput(so, sopt) case IP_FAITH: OPTSET(INP_FAITH); break; - case IP_EVIL_INTENT: - if (ip_do_rfc3514) { - OPTSET(INP_EVIL); - } else - error = EINVAL; - break; } break; #undef OPTSET @@ -1581,7 +1556,6 @@ ip_ctloutput(so, sopt) case IP_RECVIF: case IP_PORTRANGE: case IP_FAITH: - case IP_EVIL_INTENT: switch (sopt->sopt_name) { case IP_TOS: @@ -1622,9 +1596,6 @@ ip_ctloutput(so, sopt) case IP_FAITH: optval = OPTBIT(INP_FAITH); break; - case IP_EVIL_INTENT: - optval = OPTBIT(INP_EVIL); - break; } error = sooptcopyout(sopt, &optval, sizeof optval); break; diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index 4e9907b12b2d..c8df2e673e4a 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -132,7 +132,6 @@ struct ipstat { u_long ips_notmember; /* multicasts for unregistered grps */ u_long ips_nogif; /* no match gif found */ u_long ips_badaddr; /* invalid address on header */ - u_long ips_evil; /* EVIL packets received */ }; #ifdef _KERNEL |