Date: Mon, 19 Jul 2004 22:12:38 -0400 From: James <haesu@towardex.com> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org Subject: IPFW2 versrcreach update Message-ID: <20040720021237.GA74977@scylla.towardex.com>
next in thread | raw e-mail | index | archive | help
Andre, et al: Previously, in "My planned work on networking stack" thread, Andre made a patch which allows loose-check uRPF verification using ipfw2. The command syntax is versrcreach as opposed to verrevpath. The versrcreach simply checks if the source address has a route other than default. In other words, pass the packet if the source address is reachable via any interface available where there is a route for. This is useful in multihomed BGP environment (mostly for service providers using FreeBSD as routing platform). The message in which Andre posted patch is below this email, quoted.</preamble> Anyhow, getting straight to business: The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute. Under verify_path() in ip_fw2.c patch Andre provided, I'd like to propose possibly including the following line of change I'm thinking about in my head right now. /* if no ifp provided, check if rtentry is not default route */ if (ifp == NULL && satosin(rt_key(ro.ro_rt))->sin_addr.s_addr == INADDR_ANY) { RTFREE(ro.ro_rt); return 0; } + /* by this point a route is found. check if this is pointed + * to blackhole/reject */ + if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE) ) { + RTFREE(ro.ro_rt); + return 0; + } Haven't tested this yet, but will do tomorrow after I finish some other stuff I need done before rebooting w/ a test kernel. Anyway the idea is to fail the check if the route has RTF_REJECT or RTF_BLACKHOLE flag, under loose-check (ifp set to NULL) operation, which is an easy straight forward change. Thanks, -J -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net > > Here you go: > > http://www.nrg4u.com/freebsd/ipfw_versrcreach.diff > > This one implements the standard functionality, the definition of an > interface through which it has to be reachable is not (yet) supported. > > Using this option only makes sense when you don't have a default route > which naturally always matches. So this is useful for machines acting > as routers with a default-free view of the entire Internet as common > when running a BGP daemon (Zebra/Quagga or OpenBSD bgpd). > > One useful way of enabling it globally on a router looks like this: > > ipfw add xxxx deny ip from any to any not versrcreach > > or for an individual interface only: > > ipfw add xxxx deny ip from any to any not versrcreach recv fxp0 > > I'd like to get some feedback (and a man page draft) before I commit it > to -CURRENT. > > -- > Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040720021237.GA74977>