From owner-freebsd-net@FreeBSD.ORG Fri Mar 5 13:31:42 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1686816A4CF for ; Fri, 5 Mar 2004 13:31:42 -0800 (PST) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 381D943D2D for ; Fri, 5 Mar 2004 13:31:41 -0800 (PST) (envelope-from andre@freebsd.org) Received: (qmail 43774 invoked from network); 5 Mar 2004 21:31:40 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 5 Mar 2004 21:31:40 -0000 Message-ID: <4048F1B7.934AAC89@freebsd.org> Date: Fri, 05 Mar 2004 22:31:35 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: James , freebsd-current@freebsd.org, freebsd-net@freebsd.org References: <4043B6BA.B847F081@freebsd.org> <200403011507.52238.wes@softweyr.com> <20040302031625.GA4061@scylla.towardex.com> <20040302042957.GH3841@saboteur.dek.spc.org> <20040302082625.GE22985@cell.sick.ru><404653DB.186DA0C2@freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: My planned work on networking stack X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2004 21:31:42 -0000 Andre Oppermann wrote: > > > there are still other things freebsd lacks. such as uRPF that _SERVICE_PROVIDER_ > > can use. ipfw2 has verrevpath but all it does from what i know is strict uRPF > > only. service providers like myself, if we were to use freebsd boxen to run our > > network, i am not spending money on a router that doesn't do loose-check uRPF. > > this sounds like something linux does too but i refuse to use that :P > > That is pretty easy to implement. I should have it by Friday at latest, > depends on when exactly I find time for it. > > ip verify unicast source reachable-via [any|ifn] > > The ipfw2 command would look like this: ... versrcreach [fxp0] Here you go: http://www.nrg4u.com/freebsd/ipfw_versrcreach.diff This one implements the standard functionality, the definition of an interface through which it has to be reachable is not (yet) supported. Using this option only makes sense when you don't have a default route which naturally always matches. So this is useful for machines acting as routers with a default-free view of the entire Internet as common when running a BGP daemon (Zebra/Quagga or OpenBSD bgpd). One useful way of enabling it globally on a router looks like this: ipfw add xxxx deny ip from any to any not versrcreach or for an individual interface only: ipfw add xxxx deny ip from any to any not versrcreach recv fxp0 I'd like to get some feedback (and a man page draft) before I commit it to -CURRENT. -- Andre