From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 11:52:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4ED2216A41F; Tue, 3 Jan 2006 11:52:17 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: from a.6f2.net (a.6f2.net [213.189.5.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6460F43D45; Tue, 3 Jan 2006 11:52:10 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: by a.6f2.net (Postfix, from userid 66) id EDEC7BF8D4E; Tue, 3 Jan 2006 12:52:08 +0100 (CET) Received: by cc.bashibuzuk.net (Postfix, from userid 1001) id EF538BEC0; Tue, 3 Jan 2006 12:51:20 +0100 (CET) Date: Tue, 3 Jan 2006 12:51:20 +0100 From: Yann Berthier To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20060103115120.GG840@bashibuzuk.net> Mail-Followup-To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org References: <43B9C7CC.7090703@mr0vka.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43B9C7CC.7090703@mr0vka.eu.org> X-Operating-System: FreeBSD 7.0-CURRENT User-Agent: Mutt/1.5.11 Cc: Subject: Re: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 11:52:17 -0000 Hello, On Tue, 03 Jan 2006, at 01:39, ?ukasz Bromirski wrote: > Hi, > > Following some short discussion on freebsd-pf I've written (mostly > copied, but let's skip that for a moment) short patch for ip_input.c, > that does uRPF check for incoming packets. > > In some simple words, it's exactly the function ipfw2 is calling when > You specify a rule with `versrcreach', but it's there in core > network processing path and it's controlled via sysctl, so You don't > need any packet filter in system to get the job done. > > If sysctl net.inet.ip.urpf is set to 0 check is disabled, and if > it's set to 1, checking of source address/interface against routing > table is in effect. Checks will skip packets coming on from > loopback or CARP interfaces. > > When the packet is going to be dropped, there's syslog message > generated with source IP address and input interface it came on, > and system counters are increased. > > Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09 > (latest RELENG_5 checkout). It will also work with latest RELENG_4 > checkout (ip_input.c version 1.130.2.55 dated 2005/01/02). > > Please note however, this code is for IPv4 only. > > http://lukasz.bromirski.net/projekty/freebsd/ip_input.urpf.diff > SHA1 (ip_input.urpf.diff) = c76319f619a43f1d031e729d361324d3a4d86daf Nice ! > Please also note, there's already similar sysctl in ip_input.c - > it's named ip_checkinterface and does subset of urpf checks, so > while I don't think this patch is going to make into source tree, > maybe it's time for someone wiser than me to review the code and > 'update' ip_input.c code? If this yet to be found wiser guy would not forget the loose check too (verrevpath in ipfw speaking), where packets matching the default route are ok ... :) Cheers, - yann