From owner-cvs-all  Thu Mar  1 18:11:49 2001
Delivered-To: cvs-all@freebsd.org
Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3C11B37B71A; Thu,  1 Mar 2001 18:11:37 -0800 (PST)
	(envelope-from itojun@itojun.org)
Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1])
	by coconut.itojun.org (8.9.3+3.2W/3.7W/smtpfeed 1.06) with ESMTP id LAA02587;
	Fri, 2 Mar 2001 11:11:33 +0900 (JST)
To: Jonathan Lemon <jlemon@flugsvamp.com>
Cc: Nate Williams <nate@yogotech.com>,
	Jonathan Lemon <jlemon@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
In-reply-to: jlemon's message of Thu, 01 Mar 2001 19:47:51 CST.
      <20010301194751.V25974@prism.flugsvamp.com>
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
Subject: Re: cvs commit: src/sys/netinet ip_input.c
From: itojun@iijlab.net
Date: Fri, 02 Mar 2001 11:11:33 +0900
Message-ID: <2585.983499093@coconut.itojun.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


>> 	the change, specifically the following part, seem to implement
>> 	ingress filtering.  the change will choke on multihomed hosts
>> 	with assymmetric routing (like packets from X comes into interface A,
>> 	and packets to X goes out from interface B).  RFC2827 has more detail
>> 	on it.  I believe it too strong limitation.
>
>Actually, it is not source address ingress filtering as RFC2827 talks
>about, but is a security-related patch, for an upcoming security
>advisory. Multihomed hosts that are correctly set up will still work;
>if the host wants to forward packet X out through another interface,
>it is free to do so.

	sorry maybe I misread the patch.  then I guess you have changed the
	host model from weak to strong.  if so, there are lots of other
	components that needs to be changed (source address selection, routing
	announcements for !IFF_UP interface routes), and i guess there will be
	lots of breakages in unnumbered interface settings and other
	configurations.

	i guess this is safer as default behavior.  if firewalls needs
	to behave as strong model-like, people are free to do so by installing
	filter configurations.
	http://www.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.12&r2=1.13

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message