From owner-freebsd-net@FreeBSD.ORG Thu Jan 8 22:18:16 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 370271065788 for ; Thu, 8 Jan 2009 22:18:16 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by mx1.freebsd.org (Postfix) with ESMTP id DC33A8FC35 for ; Thu, 8 Jan 2009 22:18:15 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so3879393yxb.13 for ; Thu, 08 Jan 2009 14:18:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=80Wo/mh/oq74xcDIv2CbsZyjzkY160ZJ1hImLQHiDN8=; b=et9oA1nF0Xt07lN8+5PEUMTLSz8SKvWfe3a3NxC1c2u+OgJsBNUPPfMKyUZ1y8ZbZ3 C6xpIsKpUfY7TuqCNM6+GZ66hE3Y4lTOf/ZMT5zE1BKVd/bZSD/1xg/gN6sQPwiKkpHd Itje0PRnZqNGkUjZuF4HWAZmM6SxcryS6naDo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=g4BxRg2oT2mrkSpAYgAOQFv7CPBjQf7W1FNVC26aVw91S55UmAdTvzJLH7a8euDFbR ysBlpiZsTrMUPTXEtKBL5qKszyf1dPr+sNUVB7uP7OuDoxXcfb6rvzkZiT5udHeMNZ+1 BIZgcfStJJIToVWadMHc84ca2APfqMGWiKLoI= Received: by 10.151.154.20 with SMTP id g20mr2838153ybo.8.1231453095180; Thu, 08 Jan 2009 14:18:15 -0800 (PST) Received: by 10.151.135.13 with HTTP; Thu, 8 Jan 2009 14:18:15 -0800 (PST) Message-ID: Date: Thu, 8 Jan 2009 17:18:15 -0500 From: "Adrian Chadd" Sender: adrian.chadd@gmail.com To: "Julian Elischer" In-Reply-To: <49666189.9010406@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49666189.9010406@elischer.org> X-Google-Sender-Auth: 397d36f350beeccf Cc: FreeBSD Net Subject: Re: Julian's source IP address spoofing - code review requested X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 22:18:16 -0000 2009/1/8 Julian Elischer : > I see you always call ether_demux when a packet is moved up.. s/you/you/ :) This is all your stuff IIRC, I just ported and commented as required. > hopefully that will also work if an interface is NOT ethernet? this is why i left the ethernet bridge interception stuff out in a seperate diff. I'll commit it only once I've spoken to bridge-cluey people and have their blessing. > hey I know I originally wrote this but it's been a while and > I must say I was following tracks made by others, and we > are using aonly a subset of possible hardware... Well, its entirely possible this stuff will be deployed in two scenarios: * where its all done at the IP layer, eg policy routing, IPFW * where its being done as part of a transparent ethernet bridge > FYI we will probably switch to a single netgraph node that > does bridging and filtering combined in 7.x :-) That'd certainly be nicer. ;) About the only thing I'm looking to add to this later on is to flesh out IPv6 source address spoofing too, just in case V6 catches on. Adrian