From owner-freebsd-net@FreeBSD.ORG Thu Jan 8 20:14:37 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B42A8106566B for ; Thu, 8 Jan 2009 20:14:37 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.27]) by mx1.freebsd.org (Postfix) with ESMTP id 6E4F38FC0A for ; Thu, 8 Jan 2009 20:14:37 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so5311127qwb.7 for ; Thu, 08 Jan 2009 12:14:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=yuTjmU4mQyS1TrzcyZm70aDN87mRUjVOesk1NqHqupc=; b=CwyW6cLAoP+3wcjFCiuMV91SbUrIegyZDEuJUgFOrD6L76fxGT0zdoHV8otEa3WRJ0 uLn1GgBzJIGA+xUUPyI47jnG4A8+cuIOW+KJiboMChK6mw3A2HeMIPjlY1hl3Ti257Vq nKuSHIZza3uz2Ni5BW6qm0eN+JKTF6MhHtJEM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=pTrTpAAHA66gtQCQHR+Oo7M0DL5GXnweRuGd5/7uHOaxuAx70L2fdmdllfGqJyeYL0 Pq15pBl1rYZd4oNnlYIRnEKELnq4dcrB8q+b156PU/Yknx/0LAD4gPIAfh64jDpwddxU eb/TIiNEqPqTH0Z7pj4Nk/IWDvZg1r2OdYt00= Received: by 10.215.12.4 with SMTP id p4mr7585089qai.154.1231443977389; Thu, 08 Jan 2009 11:46:17 -0800 (PST) Received: by 10.214.81.13 with HTTP; Thu, 8 Jan 2009 11:46:17 -0800 (PST) Message-ID: Date: Thu, 8 Jan 2009 14:46:17 -0500 From: "Adrian Chadd" Sender: adrian.chadd@gmail.com To: "FreeBSD Net" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 3e631a1bc3194175 Subject: Julian's source IP address spoofing - code review requested X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 20:14:37 -0000 G'day all, I've finally gotten around to pulling apart some of Julian Elischer's work on the source IP address spoofing stuff and I've been testing it on my local squid-2 fork (cacheboy.) I'd appreciate some comments and review before I begin committing bits of it to freebsd-current. The work will be available here, including a brief description of what is going on: http://people.freebsd.org/~adrian/sys/spoof_bind/ I'd first like to commit the core changes which introduce a new compile option, sysctl and IP option to enable a non-local IP address in bind(). That in itself is enough to at least begin testing under -current and releng_7. The diff against -current for this first phase is available here: http://people.freebsd.org/~adrian/sys/spoof_bind/spoof_bind_sys.diff I'm currently running just this patch on a machine in the netperf cluster which is acting as a transparent HTTP interception thing. It seems to handle "moderate" request rates (~1500 socket creations a second, ~150mbit). This first patch is pretty straight forward and I'm reasonably confident that it won't break anything in -current or releng_7 which isn't already broken. There are other changes to IPFW and the bridging code which I'll ask to be reviewed separately. Thanks! Adrian