Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Mar 2001 19:47:51 -0600
From:      Jonathan Lemon <jlemon@flugsvamp.com>
To:        Jun-ichiro itojun Hagino <itojun@iijlab.net>
Cc:        Nate Williams <nate@yogotech.com>, Jonathan Lemon <jlemon@flugsvamp.com>, Jonathan Lemon <jlemon@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet ip_input.c
Message-ID:  <20010301194751.V25974@prism.flugsvamp.com>
In-Reply-To: <20010302012741.CECBE7E0E@starfruit.itojun.org>
References:  <15006.61041.727634.597339@nomad.yogotech.com> <20010302012741.CECBE7E0E@starfruit.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Fri, Mar 02, 2001 at 10:27:41AM +0900, Jun-ichiro itojun Hagino wrote:
> 
> >I'll resend the email that Don Lewis sent out right after your commit.
> >On Feb 27, 11:43am, Jonathan Lemon wrote:
> >} Subject: cvs commit: src/sys/netinet ip_input.c
> >} jlemon      2001/02/27 11:43:14 PST
> >} 
> >}   Modified files:
> >}     sys/netinet          ip_input.c 
> >}   Log:
> >}   When iterating over our list of interface addresses in order to determine
> >}   if an arriving packet belongs to us, also check that the packet arrived
> >}   through the correct interface.  Skip this check if the packet was locally
> >}   generated.
> 
> 	the change, specifically the following part, seem to implement
> 	ingress filtering.  the change will choke on multihomed hosts
> 	with assymmetric routing (like packets from X comes into interface A,
> 	and packets to X goes out from interface B).  RFC2827 has more detail
> 	on it.  I believe it too strong limitation.

Actually, it is not source address ingress filtering as RFC2827 talks
about, but is a security-related patch, for an upcoming security
advisory.  Multihomed hosts that are correctly set up will still work;
if the host wants to forward packet X out through another interface,
it is free to do so.
--
Jonathan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010301194751.V25974>