From owner-cvs-all  Thu Mar  1 17:49:39 2001
Delivered-To: cvs-all@freebsd.org
Received: from prism.flugsvamp.com (cb58709-a.mdsn1.wi.home.com [24.17.241.9])
	by hub.freebsd.org (Postfix) with ESMTP
	id EA8F037B719; Thu,  1 Mar 2001 17:49:33 -0800 (PST)
	(envelope-from jlemon@flugsvamp.com)
Received: (from jlemon@localhost)
	by prism.flugsvamp.com (8.11.0/8.11.0) id f221lpG74810;
	Thu, 1 Mar 2001 19:47:51 -0600 (CST)
	(envelope-from jlemon)
Date: Thu, 1 Mar 2001 19:47:51 -0600
From: Jonathan Lemon <jlemon@flugsvamp.com>
To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Cc: Nate Williams <nate@yogotech.com>,
	Jonathan Lemon <jlemon@flugsvamp.com>,
	Jonathan Lemon <jlemon@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet ip_input.c
Message-ID: <20010301194751.V25974@prism.flugsvamp.com>
References: <15006.61041.727634.597339@nomad.yogotech.com> <20010302012741.CECBE7E0E@starfruit.itojun.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre2i
In-Reply-To: <20010302012741.CECBE7E0E@starfruit.itojun.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Mar 02, 2001 at 10:27:41AM +0900, Jun-ichiro itojun Hagino wrote:
> 
> >I'll resend the email that Don Lewis sent out right after your commit.
> >On Feb 27, 11:43am, Jonathan Lemon wrote:
> >} Subject: cvs commit: src/sys/netinet ip_input.c
> >} jlemon      2001/02/27 11:43:14 PST
> >} 
> >}   Modified files:
> >}     sys/netinet          ip_input.c 
> >}   Log:
> >}   When iterating over our list of interface addresses in order to determine
> >}   if an arriving packet belongs to us, also check that the packet arrived
> >}   through the correct interface.  Skip this check if the packet was locally
> >}   generated.
> 
> 	the change, specifically the following part, seem to implement
> 	ingress filtering.  the change will choke on multihomed hosts
> 	with assymmetric routing (like packets from X comes into interface A,
> 	and packets to X goes out from interface B).  RFC2827 has more detail
> 	on it.  I believe it too strong limitation.

Actually, it is not source address ingress filtering as RFC2827 talks
about, but is a security-related patch, for an upcoming security
advisory.  Multihomed hosts that are correctly set up will still work;
if the host wants to forward packet X out through another interface,
it is free to do so.
--
Jonathan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message