Closed m00nbsd closed 3 years ago
@m00nbsd:
ip4.drop_options
and ip6.drop_options
parameters sounds good. The user should also be able to do rule-based filtering of options, but that is a separate patch.if (ip->ip_hl != 5 && npf->ip4_drop_options) ...
Would you like to make a pull request (PR)?
Fixed by #112
Description
It would be nice to add an option in NPF allowing to drop packets with IPv4/IPv6 options. This is an important yet missing feature, and IPv4/IPv6 options are a significant problem in network security.
The point is that IPv4/IPv6 options are big enablers when it comes to exploitation: they are hard to parse (that is the parser can easily be buggy), and they allow to push the actual payload farther in the mbuf, in a way that makes it a lot easier to exploit buffer overflows.
Two years ago I wrote a patch for that using BPF. Unfortunately I realized it wasn't correct, because when a connection already exists NPF does a pass-through of the packet without applying BPF rules, meaning that the subsequent TCP packets in the stream could have IPv4/IPv6 options and NPF would accept them.
Patch Suggestion
Probably the correct way to proceed is using npf-params, with
ip4.drop_options
andip6.drop_options
, along the lines of:By default I think that IPv4/IPv6 options should be dropped, like PF does.