#7 TCP (IP) options sanity checking

[Sasha Nedvedicky]

there is already ipf_tcpoptions(), which already performs that kind of check, in
IPF. unfortunately the function is not applied for every packet, since the
function is solely used just inside of ip_state.c module.

It's too late, because function is called even if matching state entry is found
for given packet or new state entry is being created for packet.

therefore I'm proposing to introduce a new function into the fr_check()
function, which drives packet through IPF. this newly introduced function
should check sanity of options in packet headers (IP, TCP, UDP, ...). we would
be also able to extend the rules to allow user to discard packets with
particular option set or just remove/modify given option.

the ipf_tcpoptions() then should not try to do TCP options sanity checks any
more. it should rather concentrate to grab necessary data from TCP header
options ip_state.c module needs to do proper state handling.