Date: Thu, 8 Jan 2009 14:46:17 -0500 From: "Adrian Chadd" <adrian@freebsd.org> To: "FreeBSD Net" <freebsd-net@freebsd.org> Subject: Julian's source IP address spoofing - code review requested Message-ID: <d763ac660901081146s7827298aj486c2acca0e650f9@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
G'day all, I've finally gotten around to pulling apart some of Julian Elischer's work on the source IP address spoofing stuff and I've been testing it on my local squid-2 fork (cacheboy.) I'd appreciate some comments and review before I begin committing bits of it to freebsd-current. The work will be available here, including a brief description of what is going on: http://people.freebsd.org/~adrian/sys/spoof_bind/ I'd first like to commit the core changes which introduce a new compile option, sysctl and IP option to enable a non-local IP address in bind(). That in itself is enough to at least begin testing under -current and releng_7. The diff against -current for this first phase is available here: http://people.freebsd.org/~adrian/sys/spoof_bind/spoof_bind_sys.diff I'm currently running just this patch on a machine in the netperf cluster which is acting as a transparent HTTP interception thing. It seems to handle "moderate" request rates (~1500 socket creations a second, ~150mbit). This first patch is pretty straight forward and I'm reasonably confident that it won't break anything in -current or releng_7 which isn't already broken. There are other changes to IPFW and the bridging code which I'll ask to be reviewed separately. Thanks! Adrian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d763ac660901081146s7827298aj486c2acca0e650f9>