From owner-cvs-src@FreeBSD.ORG  Tue Aug 10 15:03:44 2004
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id D21CA16A4CF; Tue, 10 Aug 2004 15:03:44 +0000 (GMT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6F44643D41; Tue, 10 Aug 2004 15:03:44 +0000 (GMT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.11/8.12.11) with ESMTP id i7AF2BCb084288;
	Tue, 10 Aug 2004 11:02:11 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)i7AF2BQv084285;
	Tue, 10 Aug 2004 11:02:11 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Tue, 10 Aug 2004 11:02:10 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Andre Oppermann <andre@FreeBSD.org>
In-Reply-To: <200408091612.i79GCAOB064830@repoman.freebsd.org>
Message-ID: <Pine.NEB.3.96L.1040810110044.84194A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c src/sbin/ipfw
	ipfw.8         ipfw2.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2004 15:03:45 -0000


On Mon, 9 Aug 2004, Andre Oppermann wrote:

>   Modified files:
>     sys/netinet          ip_fw.h ip_fw2.c 
>     sbin/ipfw            ipfw.8 ipfw2.c 
>   Log:
>   New ipfw option "antispoof":
>   
>    For incoming packets, the packet's source address is checked if it
>    belongs to a directly connected network.  If the network is directly
>    connected, then the interface the packet came on in is compared to
>    the interface the network is connected to.  When incoming interface
>    and directly connected interface are not the same, the packet does
>    not match.

If you would append opcodes to the enum rather than inserting them, you
would find you wouldn't break everyone's firewalls when they install their
kernel and reboot before installing world.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Principal Research Scientist, McAfee Research