> Speaking on my own behalf (not Sun's) You can turn off IP forwarding in
> the Kernel, but unless you then hack the kernel yourself there is no "option"
> for turning off IP source routing in 4.1.X.
> (kernel hack is available, but without *any* support)
>
> Sun *did* put the option into solaris 2.3 to disable source routing at
> the kernel level.
Brad,
A quick read of the source shows that simply turning off ip_forwarding will
suppress source routing in SunOS 4.1.X.
ip_forward() has the following code snippet:
if ((ip_forwarding != 1) && !source_routed_ok(ip, ifp)) {
ipstat.ips_cantforward++;
m_freem(dtom(ip));
return;
}
Here is the comment from source_routed_ok():
/*
* See if a packet is carrying LSRR or SSRR options.
* if it is source routed, check that it goes out over the same interface
* that it came in over.
*/
Which, in fact, the code does..
In the absence of some external influence (someone setting ip_forwarding 'on')
I can't see how
The following cases exist:
1) Machine has less than two (non-loopback) interfaces.
2) Machine has two or more (non-loopback) interfaces and ip_forwarding
turned off (set to -1 to ensure it never gets turned 'on' by the kernel).
3) Machine has two or more (non-loopback) interfaces with ip_forwarding
turned 'on'.
Case '1' isn't interesting, as it is covered by both ip_forwarding
being 'off', and source_routed_ok() failing on any attempt to forward
through the machine.
Case '2' is covered, as ip_forwarding is 'off', so the machine can't
forward source-routed packets.
Case '3' isn't a firewall, in the absense of some other filtering in
the kernel, in any case, you won't be able to source route through the
machine, as source_routed_ok() will fail.
No kernel hack necessary, though 30 seconds with adb should be all that
is needed to make source_routed_ok *always* return 0, thus turning off
source routing for good. :-)
Jim
|
|
