Reverse Path Filtering check in ip_input.c

Łukasz Bromirski lbromirski at
Mon Jan 2 16:35:42 PST 2006


Following some short discussion on freebsd-pf I've written (mostly
copied, but let's skip that for a moment) short patch for ip_input.c,
that does uRPF check for incoming packets.

In some simple words, it's exactly the function ipfw2 is calling when
You specify a rule with `versrcreach', but it's there in core
network processing path and it's controlled via sysctl, so You don't
need any packet filter in system to get the job done.

If sysctl net.inet.ip.urpf is set to 0 check is disabled, and if
it's set to 1, checking of source address/interface against routing
table is in effect. Checks will skip packets coming on from
loopback or CARP interfaces.

When the packet is going to be dropped, there's syslog message
generated with source IP address and input interface it came on,
and system counters are increased.

Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09
(latest RELENG_5 checkout). It will also work with latest RELENG_4
checkout (ip_input.c version dated 2005/01/02).

Please note however, this code is for IPv4 only.
  SHA1 (ip_input.urpf.diff) = c76319f619a43f1d031e729d361324d3a4d86daf

Please also note, there's already similar sysctl in ip_input.c -
it's named ip_checkinterface and does subset of urpf checks, so
while I don't think this patch is going to make into source tree,
maybe it's time for someone wiser than me to review the code and
'update' ip_input.c code?

this space was intentionally left blank    |            Łukasz Bromirski
you can insert your favourite quote here   |        lukasz:bromirski,net

More information about the freebsd-pf mailing list