Julian's source IP address spoofing - code review requested

Julian Elischer julian at elischer.org
Thu Jan 8 12:55:24 PST 2009 

Adrian Chadd wrote:
> G'day all,
> 
> I've finally gotten around to pulling apart some of Julian Elischer's
> work on the source IP address spoofing stuff and I've been testing it
> on my local squid-2 fork (cacheboy.)
> 
> I'd appreciate some comments and review before I begin committing bits
> of it to freebsd-current.
> 
> The work will be available here, including a brief description of what
> is going on:
> 
> http://people.freebsd.org/~adrian/sys/spoof_bind/

Well the for_me rule in ipfw may have similar problems that
the uid rules had WRT Lock order. I notice you are using a read lock
which may solve that problem.

I see you always call ether_demux when a packet is moved up..

hopefully that will also work if an interface is NOT ethernet?

hey I know I originally wrote this but it's been a while and
I must say I was following tracks made by others, and we
are using aonly a subset of possible hardware...


> 
> I'd first like to commit the core changes which introduce a new
> compile option, sysctl and IP option to enable a non-local IP address
> in bind(). That in itself is enough to at least begin testing under
> -current and releng_7.

the logical equivalent of this code (not prettied up) has been
in Ironport's FreeBSD since 4.x.
The code in if_bridge is new as we used the old bridge code,
but it 's logically similar.

FYI we will probably switch to a single netgraph node that
does bridging and filtering combined in 7.x :-)



> 
> The diff against -current for this first phase is available here:
> 
> http://people.freebsd.org/~adrian/sys/spoof_bind/spoof_bind_sys.diff
> 
> I'm currently running just this patch on a machine in the netperf
> cluster which is acting as a transparent HTTP interception thing. It
> seems to handle "moderate" request rates (~1500 socket creations a
> second, ~150mbit). This first patch is pretty straight forward and I'm
> reasonably confident that it won't break anything in -current or
> releng_7 which isn't already broken.
> 

For others, this is a patch that allows the proxy to be a "bump on
the wire" It is proxying between two segments of the same subnet,
completely transparently (assuming you do server side spoofing too.)


> There are other changes to IPFW and the bridging code which I'll ask
> to be reviewed separately.
> 
> Thanks!
> 
> 
> 
> Adrian
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list