Hello, On Tue, 03 Jan 2006, at 01:39, ?ukasz Bromirski wrote:
> Hi, > > Following some short discussion on freebsd-pf I've written (mostly > copied, but let's skip that for a moment) short patch for ip_input.c, > that does uRPF check for incoming packets. > > In some simple words, it's exactly the function ipfw2 is calling when > You specify a rule with `versrcreach', but it's there in core > network processing path and it's controlled via sysctl, so You don't > need any packet filter in system to get the job done. > > If sysctl net.inet.ip.urpf is set to 0 check is disabled, and if > it's set to 1, checking of source address/interface against routing > table is in effect. Checks will skip packets coming on from > loopback or CARP interfaces. > > When the packet is going to be dropped, there's syslog message > generated with source IP address and input interface it came on, > and system counters are increased. > > Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09 > (latest RELENG_5 checkout). It will also work with latest RELENG_4 > checkout (ip_input.c version 1.130.2.55 dated 2005/01/02). > > Please note however, this code is for IPv4 only. > > http://lukasz.bromirski.net/projekty/freebsd/ip_input.urpf.diff > SHA1 (ip_input.urpf.diff) = c76319f619a43f1d031e729d361324d3a4d86daf Nice ! > Please also note, there's already similar sysctl in ip_input.c - > it's named ip_checkinterface and does subset of urpf checks, so > while I don't think this patch is going to make into source tree, > maybe it's time for someone wiser than me to review the code and > 'update' ip_input.c code? If this yet to be found wiser guy would not forget the loose check too (verrevpath in ipfw speaking), where packets matching the default route are ok ... :) Cheers, - yann _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"