Feature flags of network-internet-protocol crate // Lib.rs

Cargo Features

[dependencies]
network-internet-protocol = { version = "0.1.10", default-features = false, features = ["drop-packets-with-ipv4-options", "drop-packets-with-ipv4-options-lacking-zero-padding", "drop-ipv4-packets-with-do-not-fragment-and-non-zero-identification", "drop-ipv6-packets-with-non-zero-flow-label", "drop-ipv6-fragments-when-first-reserved-field-is-not-zero", "drop-ipv6-fragments-when-second-reserved-field-is-not-zero", "drop-overly-small-ipv6-fragments-aggresively", "dpdk-sys"] }

default = drop-ipv4-packets…identification, drop-ipv6-fragments…is-not-zero, drop-ipv6-fragments…is-not-zero, drop-ipv6-packets…zero-flow-label, drop-overly…fragments-aggresively, drop-packets-with-ipv4-options, drop-packets…lacking-zero-padding: These default features are set whenever network-internet-protocol is added without default-features = false somewhere in the dependency tree.
drop-packets-with-ipv4-options default: Drops internet protocol (IP) version 4 packets with IP options.

Enabled by default.

Violates RFC 791 but IP options are very rarely used, the few that are used have potential to be used as attack vectors and none have any meaning to this library.
drop-packets-with-ipv4-options-lacking-zero-padding default: Drops internet protocol (IP) version 4 packets with IP options which do not have zero padding at the end of the options list.

Enabled by default.

This is a strictness check with a very minor impact on performance.
drop-ipv4-packets-with-do-not-fragment-and-non-zero-identification default: Drops internet protocol (IP) version 4 packets with the Do Not Fragment (DF) flag set and a non-zero (fragment) identification.

Enabled by default.

Violates RFC 6864 Section 4.1 paragraph 5 but there is no good reason to send IP packets with DF set and a non-zero (fragment) identification.
In particular, the identification field in these cases can be used as a covert channel and to infer the number of devices behind a NAT proxy.
drop-ipv6-packets-with-non-zero-flow-label default: Drop internet protocol (IP) version 6 packets whose flow label is not zero.

Enabled by default.

There is no good reason to be receiving such packets for ICMP, TCP and UDP flows.
drop-ipv6-fragments-when-first-reserved-field-is-not-zero default: Drop internet protocol (IP) version 6 packets whose fragment extension header has a non-zero first reserved field (8-bits).

Enabled by default.

Violates RFC 8200 Section 4.5 but there is no good reason to be receiving such packets.
drop-ipv6-fragments-when-second-reserved-field-is-not-zero default: Drop internet protocol (IP) version 6 packets whose fragment extension header has a non-zero second reserved field (2-bits).

Enabled by default.

Violates RFC 8200 Section 4.5 but there is no good reason to be receiving such packets.
drop-overly-small-ipv6-fragments-aggresively default: We always drop fragments smaller than they need to be (444 byte MSS).
This setting drops fragments (except the last) smaller than that possible using a 1280 byte MSS.

Enabled by default.

Violates RFC 8200 Section 4.5 but there is no good reason to be receiving such packets.

Features from optional dependencies

dpdk-sys implicit feature