Date: Fri, 02 Mar 2001 11:11:33 +0900 From: itojun@iijlab.net To: Jonathan Lemon <jlemon@flugsvamp.com> Cc: Nate Williams <nate@yogotech.com>, Jonathan Lemon <jlemon@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_input.c Message-ID: <2585.983499093@coconut.itojun.org> In-Reply-To: jlemon's message of Thu, 01 Mar 2001 19:47:51 CST. <20010301194751.V25974@prism.flugsvamp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> the change, specifically the following part, seem to implement >> ingress filtering. the change will choke on multihomed hosts >> with assymmetric routing (like packets from X comes into interface A, >> and packets to X goes out from interface B). RFC2827 has more detail >> on it. I believe it too strong limitation. > >Actually, it is not source address ingress filtering as RFC2827 talks >about, but is a security-related patch, for an upcoming security >advisory. Multihomed hosts that are correctly set up will still work; >if the host wants to forward packet X out through another interface, >it is free to do so. sorry maybe I misread the patch. then I guess you have changed the host model from weak to strong. if so, there are lots of other components that needs to be changed (source address selection, routing announcements for !IFF_UP interface routes), and i guess there will be lots of breakages in unnumbered interface settings and other configurations. i guess this is safer as default behavior. if firewalls needs to behave as strong model-like, people are free to do so by installing filter configurations. http://www.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.12&r2=1.13 itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2585.983499093>