absence of the active ip option (number 63) in the 2.4 kernel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hi All,

I wished to create an UDP packet with the IP option 63 (the Active IP 
Option,
see http://citeseer.nj.nec.com/wetherall96active.html)
using setsockopt().
An error occurred under Linux 2.4, whereas it works under Solaris 2.7

After having looked into the kernel, it seems that no code (in 
net/ipv4/ip_option.c) exist to allow the creation
of this option in ip_options_compile().

1 - why the creation of ip options with new numbers (in conformance with 
RFCs) is forbidden by the kernel ?
    if is it for safety reason, why Solaris is allowing it ?
2 - the following trivial patch allows the creation (via setsockopt) of 
the active ip option and its interception using
     netfilter/iptables 1.2.5/ipv4option module. Is this (first version 
of ) code dangerous for the network layer ?
    i confess i have at least to check the length of the option in the 
header towards the ip option length field (the second byte).


Thanks for any help.

Laurent


--- include/linux/ip_old.h      Wed Sep 18 15:53:29 2002
+++ include/linux/ip.h  Wed Sep 18 15:53:42 2002
@@ -63,6 +63,10 @@
 #define IPOPT_SSRR     (9 |IPOPT_CONTROL|IPOPT_COPY)
 #define IPOPT_RA       (20|IPOPT_CONTROL|IPOPT_COPY)

+/* the active IP option : Wetherall & Tennenhouse, 1996  */
+#define IPOPT_ACTIVE    (31|IPOPT_RESERVED1)
+
+
 #define IPVERSION      4
 #define MAXTTL         255
 #define IPDEFTTL       64



--- net/ipv4/ip_options_old.c   Wed Sep 18 14:33:50 2002
+++ net/ipv4/ip_options.c       Wed Sep 18 15:50:56 2002
@@ -424,7 +424,7 @@
                                }
                        }
                        break;
-                     case IPOPT_RA:
+               case IPOPT_RA:
                        if (optlen < 4) {
                                pp_ptr = optptr + 1;
                                goto error;
@@ -432,6 +432,14 @@
                        if (optptr[2] == 0 && optptr[3] == 0)
                                opt->router_alert = optptr - iph;
                        break;
+
+               case IPOPT_ACTIVE:
+                 if (optlen < 2) {
+                   pp_ptr = optptr + 1;
+                   goto error;
+                 }
+                 break;
+
                      case IPOPT_SEC:
                      case IPOPT_SID:
                      default:



-- 
Laurent Clévy                
Alcatel CIT, R&I             Voice: +33 (0)1 69 63 18 34
Route de Nozay               Fax  : +33 (0)1 69 63 13 59
91460 Marcoussis             mailto:Laurent.Clevy@alcatel.fr


-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux