From owner-freebsd-pf@FreeBSD.ORG Tue Jan 3 14:32:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98CFE16A41F; Tue, 3 Jan 2006 14:32:10 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: from a.6f2.net (a.6f2.net [213.189.5.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35AF343D5A; Tue, 3 Jan 2006 14:32:10 +0000 (GMT) (envelope-from yb@bashibuzuk.net) Received: by a.6f2.net (Postfix, from userid 66) id D4CFBBF8D34; Tue, 3 Jan 2006 15:32:08 +0100 (CET) Received: by cc.bashibuzuk.net (Postfix, from userid 1001) id 63FE9BEC0; Tue, 3 Jan 2006 15:31:16 +0100 (CET) Date: Tue, 3 Jan 2006 15:31:16 +0100 From: Yann Berthier To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20060103143116.GH840@bashibuzuk.net> Mail-Followup-To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org References: <43B9C7CC.7090703@mr0vka.eu.org> <20060103115120.GG840@bashibuzuk.net> <43BA82F7.7070408@bromirski.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43BA82F7.7070408@bromirski.net> X-Operating-System: FreeBSD 7.0-CURRENT User-Agent: Mutt/1.5.11 Cc: Subject: Re: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 14:32:10 -0000 On Tue, 03 Jan 2006, at 14:58, ?ukasz Bromirski wrote: > Yann Berthier wrote: > > > If this yet to be found wiser guy would not forget the loose check > > too (verrevpath in ipfw speaking), where packets matching the default > > route are ok ... :) > > Actually it does that and will until we'll have option to have two > or more default routes. > > Presently, if packets comes via interface and reply for it should be > sent on the same interface (because default route points to it and > there are no other routes pointing for the same destination to > another interface) it will work. > > Check fails if there's either interface mismatch, or source is present > in routing table but marked as RTF_REJECT/BLACKHOLE one. My bad, i didn't looked at your patch, I was misleaded by the verrevpath / versrcreach description. > OpenBSD imported KAME mroute extension that enables them to have > more than one route for given destination simultaneously in routing > table. I'm looking into it now, as it's very attractive thing, > however as Andre is doing rework of network code I'm sure we'll have > it sooner or later and then maybe someone will revise old checks > already marked as 'XXX' in the code ;) Amen - yann