Date: Tue, 03 Jan 2006 14:58:15 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= <lukasz@bromirski.net> To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Reverse Path Filtering check in ip_input.c Message-ID: <43BA82F7.7070408@bromirski.net> In-Reply-To: <20060103115120.GG840@bashibuzuk.net> References: <43B9C7CC.7090703@mr0vka.eu.org> <20060103115120.GG840@bashibuzuk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Yann Berthier wrote: > If this yet to be found wiser guy would not forget the loose check > too (verrevpath in ipfw speaking), where packets matching the default > route are ok ... :) Actually it does that and will until we'll have option to have two or more default routes. Presently, if packets comes via interface and reply for it should be sent on the same interface (because default route points to it and there are no other routes pointing for the same destination to another interface) it will work. Check fails if there's either interface mismatch, or source is present in routing table but marked as RTF_REJECT/BLACKHOLE one. OpenBSD imported KAME mroute extension that enables them to have more than one route for given destination simultaneously in routing table. I'm looking into it now, as it's very attractive thing, however as Andre is doing rework of network code I'm sure we'll have it sooner or later and then maybe someone will revise old checks already marked as 'XXX' in the code ;) -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43BA82F7.7070408>