> Is source_routed_ok() called whenever a source routed packet is
> received (not for forwarding, just normal receipt)?
No. Its only called very eary in ip_forward(). ipintr() checks to see
if the packet is destined for 'this machine'. If it is, and it ts an
un-fragmented packet, or re-assembly of this packet is complete with
the addition this fragment, then the packet gets handed up to the next
level protocol.
> If so, can one inhibit source routed packets from being processed by
> replacing _source_routed_ok in ip_input.o with a stub that returns 0?
Without source, you'ld end up patching your .o to do this.
Give the above, it wouldn't help.
The SmallWorks prodcut (netgate) lets you deal with source routing.
There are also some patches from Sun to deal with this, I believe.
In any case, its not a problem unless you're depending on 'bind()'
to lock-out access to a particular application (like, oh, iftp/itelnet)
by bind()-ing the socket to the 'inside' interface of the machine...
The only other problem is that the semi-sophisticated cracker can
make attacks *seem* to come from your firewall, though the sophisticated
Internet administrator will note the source routing going on, and take
a closer look.
Jim
|
|
