From owner-freebsd-net@FreeBSD.ORG Thu Jan 8 20:55:24 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74D981065674; Thu, 8 Jan 2009 20:55:24 +0000 (UTC) (envelope-from prvs=julian=25242c0f6@elischer.org) Received: from smtp-outbound.ironport.com (smtp-outbound.ironport.com [63.251.108.112]) by mx1.freebsd.org (Postfix) with ESMTP id 5D5FC8FC08; Thu, 8 Jan 2009 20:55:24 +0000 (UTC) (envelope-from prvs=julian=25242c0f6@elischer.org) Received: from unknown (HELO julian-mac.elischer.org) ([10.251.60.63]) by smtp-outbound.ironport.com with ESMTP; 08 Jan 2009 12:26:50 -0800 Message-ID: <49666189.9010406@elischer.org> Date: Thu, 08 Jan 2009 12:26:49 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Adrian Chadd References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net Subject: Re: Julian's source IP address spoofing - code review requested X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 20:55:24 -0000 Adrian Chadd wrote: > G'day all, > > I've finally gotten around to pulling apart some of Julian Elischer's > work on the source IP address spoofing stuff and I've been testing it > on my local squid-2 fork (cacheboy.) > > I'd appreciate some comments and review before I begin committing bits > of it to freebsd-current. > > The work will be available here, including a brief description of what > is going on: > > http://people.freebsd.org/~adrian/sys/spoof_bind/ Well the for_me rule in ipfw may have similar problems that the uid rules had WRT Lock order. I notice you are using a read lock which may solve that problem. I see you always call ether_demux when a packet is moved up.. hopefully that will also work if an interface is NOT ethernet? hey I know I originally wrote this but it's been a while and I must say I was following tracks made by others, and we are using aonly a subset of possible hardware... > > I'd first like to commit the core changes which introduce a new > compile option, sysctl and IP option to enable a non-local IP address > in bind(). That in itself is enough to at least begin testing under > -current and releng_7. the logical equivalent of this code (not prettied up) has been in Ironport's FreeBSD since 4.x. The code in if_bridge is new as we used the old bridge code, but it 's logically similar. FYI we will probably switch to a single netgraph node that does bridging and filtering combined in 7.x :-) > > The diff against -current for this first phase is available here: > > http://people.freebsd.org/~adrian/sys/spoof_bind/spoof_bind_sys.diff > > I'm currently running just this patch on a machine in the netperf > cluster which is acting as a transparent HTTP interception thing. It > seems to handle "moderate" request rates (~1500 socket creations a > second, ~150mbit). This first patch is pretty straight forward and I'm > reasonably confident that it won't break anything in -current or > releng_7 which isn't already broken. > For others, this is a patch that allows the proxy to be a "bump on the wire" It is proxying between two segments of the same subnet, completely transparently (assuming you do server side spoofing too.) > There are other changes to IPFW and the bridging code which I'll ask > to be reviewed separately. > > Thanks! > > > > Adrian > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"