Julian's source IP address spoofing - code review requested

Adrian Chadd adrian at freebsd.org
Thu Jan 8 14:18:16 PST 2009

2009/1/8 Julian Elischer <julian at elischer.org>:

> I see you always call ether_demux when a packet is moved up..

s/you/you/ :)

This is all your stuff IIRC, I just ported and commented as required.

> hopefully that will also work if an interface is NOT ethernet?

this is why i left the ethernet bridge interception stuff out in a
seperate diff.
I'll commit it only once I've spoken to bridge-cluey people and have
their blessing.

> hey I know I originally wrote this but it's been a while and
> I must say I was following tracks made by others, and we
> are using aonly a subset of possible hardware...

Well, its entirely possible this stuff will be deployed in two scenarios:

* where its all done at the IP layer, eg policy routing, IPFW
* where its being done as part of a transparent ethernet bridge

> FYI we will probably switch to a single netgraph node that
> does bridging and filtering combined in 7.x :-)

That'd certainly be nicer. ;)

About the only thing I'm looking to add to this later on is to flesh
out IPv6 source address spoofing too, just in case V6 catches on.


More information about the freebsd-net mailing list