Date: Thu, 08 Jan 2009 12:26:49 -0800 From: Julian Elischer <julian@elischer.org> To: Adrian Chadd <adrian@freebsd.org> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: Julian's source IP address spoofing - code review requested Message-ID: <49666189.9010406@elischer.org> In-Reply-To: <d763ac660901081146s7827298aj486c2acca0e650f9@mail.gmail.com> References: <d763ac660901081146s7827298aj486c2acca0e650f9@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Adrian Chadd wrote: > G'day all, > > I've finally gotten around to pulling apart some of Julian Elischer's > work on the source IP address spoofing stuff and I've been testing it > on my local squid-2 fork (cacheboy.) > > I'd appreciate some comments and review before I begin committing bits > of it to freebsd-current. > > The work will be available here, including a brief description of what > is going on: > > http://people.freebsd.org/~adrian/sys/spoof_bind/ Well the for_me rule in ipfw may have similar problems that the uid rules had WRT Lock order. I notice you are using a read lock which may solve that problem. I see you always call ether_demux when a packet is moved up.. hopefully that will also work if an interface is NOT ethernet? hey I know I originally wrote this but it's been a while and I must say I was following tracks made by others, and we are using aonly a subset of possible hardware... > > I'd first like to commit the core changes which introduce a new > compile option, sysctl and IP option to enable a non-local IP address > in bind(). That in itself is enough to at least begin testing under > -current and releng_7. the logical equivalent of this code (not prettied up) has been in Ironport's FreeBSD since 4.x. The code in if_bridge is new as we used the old bridge code, but it 's logically similar. FYI we will probably switch to a single netgraph node that does bridging and filtering combined in 7.x :-) > > The diff against -current for this first phase is available here: > > http://people.freebsd.org/~adrian/sys/spoof_bind/spoof_bind_sys.diff > > I'm currently running just this patch on a machine in the netperf > cluster which is acting as a transparent HTTP interception thing. It > seems to handle "moderate" request rates (~1500 socket creations a > second, ~150mbit). This first patch is pretty straight forward and I'm > reasonably confident that it won't break anything in -current or > releng_7 which isn't already broken. > For others, this is a patch that allows the proxy to be a "bump on the wire" It is proxying between two segments of the same subnet, completely transparently (assuming you do server side spoofing too.) > There are other changes to IPFW and the bridging code which I'll ask > to be reviewed separately. > > Thanks! > > > > Adrian > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49666189.9010406>