
This is a new kernel configurable variable named "ip_block_source_routed"
which, when set, simply drops any received packets that carry the source
route options.  The fix adds a few lines to sys/netinet/in_proto.c and
sys/netinet/ip_input.c.

Install:

There are two ways to install. The first is to use the easy config below,
since I have pre-set the default in the in_proto.c and ip_input.c files
to block the routing. The second way would be to set it in the kernel
config file.

(as root)
# mv /sys/`arch -k`/OBJ/ip_input.o /sys/`arch -k`/OBJ/ip_input.o.FCS
# mv /sys/netinet/in_proto.c /sys/netinet/in_proto.c.FCS
# cp ./in_proto.c /sys/netinet/in_proto.c
# cp ./ip_input.c /sys/netinet/ip_input.c



Then reconfigure; build and install the new kernel, making sure that the
config file you use was the one with IPFORWARDING disabled in the config file.
(KERNELNAME below refers to the name of your system kernel)
# cd /sys/`arch -k`/conf
# grep IPFORWARDING KERNELNAME
    you should see options "IPFORWARDING=-1"
    If this option is not set, refer back to section 5.0
    of the Appendix D "security-relay specification"
# config KERNELNAME
# cd ../KERNELNAME
# make
# cp /vmunix /vmunix.old
# cp vmunix /vmunix
# sync;sync;sync
# reboot

To test:

after the reboot login to the system and run:

# echo "ip_block_source_routed?D" |adb /vmunix
your should see:
_ip_block_source_routed:
_ip_block_source_routed:        1

