Subject: Re: illegal network routes and a ponderance
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Greg A. Woods <email@example.com>
Date: 02/23/2003 12:04:35
[ On Saturday, February 22, 2003 at 17:06:30 (-0500), der Mouse wrote: ]
> Subject: Re: illegal network routes and a ponderance
> >>> Fixing all the code that makes assumptions based solely on the IP
> >>> address would certainly be a good thing. [...]
> >> Maybe adding to tcpwrappers the option for checking for
> >> source-routed connections would be the easiest way?
> > Unless I'm unaware of some sockets magic TCP Wrappers (or any other
> > user-level application) can never do this....
> You're unaware. See [gs]etsockopt(,IPPROTO_IP,IP_OPTIONS,,).
I wish I could. I find no mention of any of that in getsockopt(2), nor
in any of referenced manual pages either. Unfortunately none of the
manual pages in the immediate reference chain lead too ip(4), but
luckily some small spark in my memory reminded me to look there. I
suppose I should file a documentation PR, but for now I've just made
minor tweaks to my own manual pages to hopefully remind me to do it
later when I have more time.
Luckily I also have a copy of W. Richard Stevens "UNIX Network
Programming" Vol. 1 (2nd Ed).
I see the NetBSD rshd.c does not yet have the code corrections Stevens
recommends -- i.e. it continues on even if it detects any IP_OPTIONS,
and only turns off the options but does not close the connection as is
very strongly recommended. The OpenBSD version is much better, though
unfortunately it fails to log the reason why it exited so abruptly.
I should probably look at this and other similar bits of code and maybe
even consider also adding similar code to libwrap itself....
Greg A. Woods
+1 416 218-0098; <firstname.lastname@example.org>; <email@example.com>
Planix, Inc. <firstname.lastname@example.org>; VE3TCP; Secrets of the Weird <email@example.com>