IPFW2 versrcreach update

James haesu at towardex.com
Mon Jul 19 19:12:39 PDT 2004

Andre, et al:

Previously, in "My planned work on networking stack" thread, Andre made a patch
which allows loose-check uRPF verification using ipfw2. The command syntax is
versrcreach as opposed to verrevpath. The versrcreach simply checks if the
source address has a route other than default. In other words, pass the packet
if the source address is reachable via any interface available where there is a
route for. This is useful in multihomed BGP environment (mostly for service
providers using FreeBSD as routing platform). The message in which Andre posted
patch is below this email, quoted.</preamble>

Anyhow, getting straight to business:
 The uRPF loose-check implementation by the industry vendors, at least on Cisco
and possibly Juniper, will fail the check if the route of the source address
is pointed to Null0 (on Juniper, discard or reject route). What this means is,
even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
as a pseudo-packet-firewall without using any manual filtering configuration --
one can simply inject a IGP or BGP prefix with next-hop set to a static route
that directs to null/discard facility. This results in uRPF Loose-check failing
on all packets with source addresses that are within the range of the nullroute.

Under verify_path() in ip_fw2.c patch Andre provided, I'd like to propose 
possibly including the following line of change I'm thinking about in my head
right now.

        /* if no ifp provided, check if rtentry is not default route */
        if (ifp == NULL &&
             satosin(rt_key(ro.ro_rt))->sin_addr.s_addr == INADDR_ANY) {
                return 0;

+       /* by this point a route is found. check if this is pointed
+        * to blackhole/reject */
+        if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE) ) {
+                RTFREE(ro.ro_rt);
+                return 0;
+        }

Haven't tested this yet, but will do tomorrow after I finish some other stuff
I need done before rebooting w/ a test kernel.
Anyway the idea is to fail the check if the route has RTF_REJECT or 
RTF_BLACKHOLE flag, under loose-check (ifp set to NULL) operation, which is
an easy straight forward change.


James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james at towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net

> Here you go:
>  http://www.nrg4u.com/freebsd/ipfw_versrcreach.diff
> This one implements the standard functionality, the definition of an
> interface through which it has to be reachable is not (yet) supported.
> Using this option only makes sense when you don't have a default route
> which naturally always matches.  So this is useful for machines acting
> as routers with a default-free view of the entire Internet as common
> when running a BGP daemon (Zebra/Quagga or OpenBSD bgpd).
> One useful way of enabling it globally on a router looks like this:
>  ipfw add xxxx deny ip from any to any not versrcreach
> or for an individual interface only:
>  ipfw add xxxx deny ip from any to any not versrcreach recv fxp0
> I'd like to get some feedback (and a man page draft) before I commit it
> to -CURRENT.
> -- 
> Andre

More information about the freebsd-net mailing list