From owner-freebsd-net@FreeBSD.ORG Tue Jan 3 13:58:28 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4D8C16A420; Tue, 3 Jan 2006 13:58:28 +0000 (GMT) (envelope-from lukasz@bromirski.net) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5860B43D64; Tue, 3 Jan 2006 13:58:23 +0000 (GMT) (envelope-from lukasz@bromirski.net) Received: from [127.0.0.1] (r2d2.bromirski.net [217.153.57.194]) by r2d2.bromirski.net (Postfix) with ESMTP id D11251089C8; Tue, 3 Jan 2006 15:05:17 +0100 (CET) Message-ID: <43BA82F7.7070408@bromirski.net> Date: Tue, 03 Jan 2006 14:58:15 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Thunderbird 1.5 (Windows/20051207) MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org References: <43B9C7CC.7090703@mr0vka.eu.org> <20060103115120.GG840@bashibuzuk.net> In-Reply-To: <20060103115120.GG840@bashibuzuk.net> X-Enigmail-Version: 0.93.2.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Reverse Path Filtering check in ip_input.c X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 13:58:28 -0000 Yann Berthier wrote: > If this yet to be found wiser guy would not forget the loose check > too (verrevpath in ipfw speaking), where packets matching the default > route are ok ... :) Actually it does that and will until we'll have option to have two or more default routes. Presently, if packets comes via interface and reply for it should be sent on the same interface (because default route points to it and there are no other routes pointing for the same destination to another interface) it will work. Check fails if there's either interface mismatch, or source is present in routing table but marked as RTF_REJECT/BLACKHOLE one. OpenBSD imported KAME mroute extension that enables them to have more than one route for given destination simultaneously in routing table. I'm looking into it now, as it's very attractive thing, however as Andre is doing rework of network code I'm sure we'll have it sooner or later and then maybe someone will revise old checks already marked as 'XXX' in the code ;) -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net