Date: Tue, 3 Jan 2006 15:31:16 +0100 From: Yann Berthier <yb@bashibuzuk.net> To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Reverse Path Filtering check in ip_input.c Message-ID: <20060103143116.GH840@bashibuzuk.net> In-Reply-To: <43BA82F7.7070408@bromirski.net> References: <43B9C7CC.7090703@mr0vka.eu.org> <20060103115120.GG840@bashibuzuk.net> <43BA82F7.7070408@bromirski.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 03 Jan 2006, at 14:58, ?ukasz Bromirski wrote:
> Yann Berthier wrote:
>
> > If this yet to be found wiser guy would not forget the loose check
> > too (verrevpath in ipfw speaking), where packets matching the default
> > route are ok ... :)
>
> Actually it does that and will until we'll have option to have two
> or more default routes.
>
> Presently, if packets comes via interface and reply for it should be
> sent on the same interface (because default route points to it and
> there are no other routes pointing for the same destination to
> another interface) it will work.
>
> Check fails if there's either interface mismatch, or source is present
> in routing table but marked as RTF_REJECT/BLACKHOLE one.
My bad, i didn't looked at your patch, I was misleaded by the
verrevpath / versrcreach description.
> OpenBSD imported KAME mroute extension that enables them to have
> more than one route for given destination simultaneously in routing
> table. I'm looking into it now, as it's very attractive thing,
> however as Andre is doing rework of network code I'm sure we'll have
> it sooner or later and then maybe someone will revise old checks
> already marked as 'XXX' in the code ;)
Amen
- yann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060103143116.GH840>