From owner-freebsd-pf@FreeBSD.ORG  Sun Jan  1 19:40:08 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C31516A41F
	for <freebsd-pf@freebsd.org>; Sun,  1 Jan 2006 19:40:08 +0000 (GMT)
	(envelope-from yb@bashibuzuk.net)
Received: from a.6f2.net (a.6f2.net [213.189.5.89])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3508843D48
	for <freebsd-pf@freebsd.org>; Sun,  1 Jan 2006 19:40:08 +0000 (GMT)
	(envelope-from yb@bashibuzuk.net)
Received: by a.6f2.net (Postfix, from userid 66)
	id A0DB4BF8E8B; Sun,  1 Jan 2006 20:40:06 +0100 (CET)
Received: by cc.bashibuzuk.net (Postfix, from userid 1001)
	id 96675BCA8; Sun,  1 Jan 2006 20:39:09 +0100 (CET)
Date: Sun, 1 Jan 2006 20:39:09 +0100
From: Yann Berthier <yb@bashibuzuk.net>
To: freebsd-pf@freebsd.org
Message-ID: <20060101193909.GK826@bashibuzuk.net>
Mail-Followup-To: freebsd-pf@freebsd.org
References: <20051227084823.28384.qmail@web32611.mail.mud.yahoo.com>
	<20051227122546.GE81@insomnia.benzedrine.cx>
	<43B5C7E1.8060400@mr0vka.eu.org>
	<20060101175800.GP42629@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20060101175800.GP42629@FreeBSD.org>
X-Operating-System: FreeBSD 7.0-CURRENT
User-Agent: Mutt/1.5.11
Subject: Re: [feature] ipfw verrevpath/versrcreach?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jan 2006 19:40:08 -0000


   Hello,

On Sun, 01 Jan 2006, at 20:58, Gleb Smirnoff wrote:

> On Sat, Dec 31, 2005 at 12:50:57AM +0100, ?ukasz Bromirski wrote:
> ?> Is there by any chance work being done on pf to include functionality
> ?> that is present in FreeBSD ipfw, that checks if packet entered
> ?> router via correct interface as pointed out by routing table?
> ?> 
> ?> I know there is antispoof, but it's simple check of connected network
> ?> and interface address, not full lookup to routing table contents.
> ?> On ipfw it's called verrevpath (checking if routing table points
> ?> for this source IP to the interface it came on) and versrcreach
> ?> (the same but default and blackhole routes don't count).
> 
> Implementing this feature is very easy. The code that does this
> check is only a few lines. You can just copy and paste code from
> ipfw(4) and add new keywords to pf(4). Then submit patch to Daniel
> and Max.

   Is there reasons to not implement conditionaly these checks (the
   strict and the loose mode) in the stack itself, in the same vein than
   say ithe blackhole or the drop_synfin checks ? Just curious - but
   uRPF filtering can be very handy, and i don't need full-fledged
   filtering on every machine.

   Regards,

      - yann