Date: Tue, 3 Jan 2006 12:51:20 +0100 From: Yann Berthier <yb@bashibuzuk.net> To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Reverse Path Filtering check in ip_input.c Message-ID: <20060103115120.GG840@bashibuzuk.net> In-Reply-To: <43B9C7CC.7090703@mr0vka.eu.org> References: <43B9C7CC.7090703@mr0vka.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, On Tue, 03 Jan 2006, at 01:39, ?ukasz Bromirski wrote: > Hi, > > Following some short discussion on freebsd-pf I've written (mostly > copied, but let's skip that for a moment) short patch for ip_input.c, > that does uRPF check for incoming packets. > > In some simple words, it's exactly the function ipfw2 is calling when > You specify a rule with `versrcreach', but it's there in core > network processing path and it's controlled via sysctl, so You don't > need any packet filter in system to get the job done. > > If sysctl net.inet.ip.urpf is set to 0 check is disabled, and if > it's set to 1, checking of source address/interface against routing > table is in effect. Checks will skip packets coming on from > loopback or CARP interfaces. > > When the packet is going to be dropped, there's syslog message > generated with source IP address and input interface it came on, > and system counters are increased. > > Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09 > (latest RELENG_5 checkout). It will also work with latest RELENG_4 > checkout (ip_input.c version 1.130.2.55 dated 2005/01/02). > > Please note however, this code is for IPv4 only. > > http://lukasz.bromirski.net/projekty/freebsd/ip_input.urpf.diff > SHA1 (ip_input.urpf.diff) = c76319f619a43f1d031e729d361324d3a4d86daf Nice ! > Please also note, there's already similar sysctl in ip_input.c - > it's named ip_checkinterface and does subset of urpf checks, so > while I don't think this patch is going to make into source tree, > maybe it's time for someone wiser than me to review the code and > 'update' ip_input.c code? If this yet to be found wiser guy would not forget the loose check too (verrevpath in ipfw speaking), where packets matching the default route are ok ... :) Cheers, - yann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060103115120.GG840>