From owner-cvs-all Thu Mar 1 18:29:46 2001 Delivered-To: cvs-all@freebsd.org Received: from prism.flugsvamp.com (cb58709-a.mdsn1.wi.home.com [24.17.241.9]) by hub.freebsd.org (Postfix) with ESMTP id 7114037B71A; Thu, 1 Mar 2001 18:29:42 -0800 (PST) (envelope-from jlemon@flugsvamp.com) Received: (from jlemon@localhost) by prism.flugsvamp.com (8.11.0/8.11.0) id f222S4176048; Thu, 1 Mar 2001 20:28:04 -0600 (CST) (envelope-from jlemon) Date: Thu, 1 Mar 2001 20:28:04 -0600 From: Jonathan Lemon To: itojun@iijlab.net Cc: Jonathan Lemon , Nate Williams , Jonathan Lemon , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_input.c Message-ID: <20010301202804.W25974@prism.flugsvamp.com> References: <20010301194751.V25974@prism.flugsvamp.com> <2585.983499093@coconut.itojun.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <2585.983499093@coconut.itojun.org> Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Mar 02, 2001 at 11:11:33AM +0900, itojun@iijlab.net wrote: > > >> the change, specifically the following part, seem to implement > >> ingress filtering. the change will choke on multihomed hosts > >> with assymmetric routing (like packets from X comes into interface A, > >> and packets to X goes out from interface B). RFC2827 has more detail > >> on it. I believe it too strong limitation. > > > >Actually, it is not source address ingress filtering as RFC2827 talks > >about, but is a security-related patch, for an upcoming security > >advisory. Multihomed hosts that are correctly set up will still work; > >if the host wants to forward packet X out through another interface, > >it is free to do so. > > sorry maybe I misread the patch. then I guess you have changed the > host model from weak to strong. if so, there are lots of other > components that needs to be changed (source address selection, routing > announcements for !IFF_UP interface routes), and i guess there will be > lots of breakages in unnumbered interface settings and other > configurations. > > i guess this is safer as default behavior. if firewalls needs > to behave as strong model-like, people are free to do so by installing > filter configurations. > http://www.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.12&r2=1.13 Yes, this is a weaker approach. However, do you have any evidence that things will break with a stronger model? Note that if the host is acting as a router and forwarding between interfaces, the model reverts to the original weaker behavior. -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message