From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 00:35:42 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AD5D16A41F; Tue, 3 Jan 2006 00:35:42 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87E5C43D49; Tue, 3 Jan 2006 00:35:41 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from [192.168.0.10] (shield.wesola.pl [62.111.150.246]) by r2d2.bromirski.net (Postfix) with ESMTP id 69EA31089D9; Tue, 3 Jan 2006 01:42:22 +0100 (CET) Message-ID: <43B9C7CC.7090703@mr0vka.eu.org> Date: Tue, 03 Jan 2006 01:39:40 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Thunderbird 1.5 (Windows/20051206) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 00:35:42 -0000 Hi, Following some short discussion on freebsd-pf I've written (mostly copied, but let's skip that for a moment) short patch for ip_input.c, that does uRPF check for incoming packets. In some simple words, it's exactly the function ipfw2 is calling when You specify a rule with `versrcreach', but it's there in core network processing path and it's controlled via sysctl, so You don't need any packet filter in system to get the job done. If sysctl net.inet.ip.urpf is set to 0 check is disabled, and if it's set to 1, checking of source address/interface against routing table is in effect. Checks will skip packets coming on from loopback or CARP interfaces. When the packet is going to be dropped, there's syslog message generated with source IP address and input interface it came on, and system counters are increased. Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09 (latest RELENG_5 checkout). It will also work with latest RELENG_4 checkout (ip_input.c version 1.130.2.55 dated 2005/01/02). Please note however, this code is for IPv4 only. http://lukasz.bromirski.net/projekty/freebsd/ip_input.urpf.diff SHA1 (ip_input.urpf.diff) = c76319f619a43f1d031e729d361324d3a4d86daf Please also note, there's already similar sysctl in ip_input.c - it's named ip_checkinterface and does subset of urpf checks, so while I don't think this patch is going to make into source tree, maybe it's time for someone wiser than me to review the code and 'update' ip_input.c code? -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net