Date: Sun, 1 Jan 2006 20:39:09 +0100 From: Yann Berthier <yb@bashibuzuk.net> To: freebsd-pf@freebsd.org Subject: Re: [feature] ipfw verrevpath/versrcreach? Message-ID: <20060101193909.GK826@bashibuzuk.net> In-Reply-To: <20060101175800.GP42629@FreeBSD.org> References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com> <20051227122546.GE81@insomnia.benzedrine.cx> <43B5C7E1.8060400@mr0vka.eu.org> <20060101175800.GP42629@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
On Sun, 01 Jan 2006, at 20:58, Gleb Smirnoff wrote:
> On Sat, Dec 31, 2005 at 12:50:57AM +0100, ?ukasz Bromirski wrote:
> ?> Is there by any chance work being done on pf to include functionality
> ?> that is present in FreeBSD ipfw, that checks if packet entered
> ?> router via correct interface as pointed out by routing table?
> ?>
> ?> I know there is antispoof, but it's simple check of connected network
> ?> and interface address, not full lookup to routing table contents.
> ?> On ipfw it's called verrevpath (checking if routing table points
> ?> for this source IP to the interface it came on) and versrcreach
> ?> (the same but default and blackhole routes don't count).
>
> Implementing this feature is very easy. The code that does this
> check is only a few lines. You can just copy and paste code from
> ipfw(4) and add new keywords to pf(4). Then submit patch to Daniel
> and Max.
Is there reasons to not implement conditionaly these checks (the
strict and the loose mode) in the stack itself, in the same vein than
say ithe blackhole or the drop_synfin checks ? Just curious - but
uRPF filtering can be very handy, and i don't need full-fledged
filtering on every machine.
Regards,
- yann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060101193909.GK826>