Date: Mon, 8 Mar 2004 18:07:53 -0500 From: James <haesu@towardex.com> To: Andre Oppermann <andre@freebsd.org> Cc: James <haesu@towardex.com> Subject: Re: My planned work on networking stack Message-ID: <20040308230753.GA84279@scylla.towardex.com> In-Reply-To: <4048F1B7.934AAC89@freebsd.org> References: <4043B6BA.B847F081@freebsd.org> <200403011507.52238.wes@softweyr.com> <20040302031625.GA4061@scylla.towardex.com> <20040302042957.GH3841@saboteur.dek.spc.org> <20040302082625.GE22985@cell.sick.ru> <20040303181034.GA58284@scylla.towardex.com> <404653DB.186DA0C2@freebsd.org> <4048F1B7.934AAC89@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
one feedback I can provide to this patch... under [any] interface checks (the loose check mode), if the route is pointed toward a discard interface (e.g. ds0 in freebsd, Null0 in cisco), drop the packet. under cisco, route pointed to null0 creates a null adjacency, even under loose-check mode, causing cef to drop the packets originated with source of the said route. -J On Fri, Mar 05, 2004 at 10:31:35PM +0100, Andre Oppermann wrote: > Andre Oppermann wrote: > > > > > there are still other things freebsd lacks. such as uRPF that _SERVICE_PROVIDER_ > > > can use. ipfw2 has verrevpath but all it does from what i know is strict uRPF > > > only. service providers like myself, if we were to use freebsd boxen to run our > > > network, i am not spending money on a router that doesn't do loose-check uRPF. > > > this sounds like something linux does too but i refuse to use that :P > > > > That is pretty easy to implement. I should have it by Friday at latest, > > depends on when exactly I find time for it. > > > > ip verify unicast source reachable-via [any|ifn] > > > > The ipfw2 command would look like this: ... versrcreach [fxp0] > > Here you go: > > http://www.nrg4u.com/freebsd/ipfw_versrcreach.diff > > This one implements the standard functionality, the definition of an > interface through which it has to be reachable is not (yet) supported. > > Using this option only makes sense when you don't have a default route > which naturally always matches. So this is useful for machines acting > as routers with a default-free view of the entire Internet as common > when running a BGP daemon (Zebra/Quagga or OpenBSD bgpd). > > One useful way of enabling it globally on a router looks like this: > > ipfw add xxxx deny ip from any to any not versrcreach > > or for an individual interface only: > > ipfw add xxxx deny ip from any to any not versrcreach recv fxp0 > > I'd like to get some feedback (and a man page draft) before I commit it > to -CURRENT. > > -- > Andre -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040308230753.GA84279>