Reverse Path Filtering check in ip_input.c
Yann Berthier
yb at bashibuzuk.net
Tue Jan 3 03:52:17 PST 2006
Hello,
On Tue, 03 Jan 2006, at 01:39, ?ukasz Bromirski wrote:
> Hi,
>
> Following some short discussion on freebsd-pf I've written (mostly
> copied, but let's skip that for a moment) short patch for ip_input.c,
> that does uRPF check for incoming packets.
>
> In some simple words, it's exactly the function ipfw2 is calling when
> You specify a rule with `versrcreach', but it's there in core
> network processing path and it's controlled via sysctl, so You don't
> need any packet filter in system to get the job done.
>
> If sysctl net.inet.ip.urpf is set to 0 check is disabled, and if
> it's set to 1, checking of source address/interface against routing
> table is in effect. Checks will skip packets coming on from
> loopback or CARP interfaces.
>
> When the packet is going to be dropped, there's syslog message
> generated with source IP address and input interface it came on,
> and system counters are increased.
>
> Patch applies cleanly on ip_input.c version 1.301.2.3 dated 2005/10/09
> (latest RELENG_5 checkout). It will also work with latest RELENG_4
> checkout (ip_input.c version 1.130.2.55 dated 2005/01/02).
>
> Please note however, this code is for IPv4 only.
>
> http://lukasz.bromirski.net/projekty/freebsd/ip_input.urpf.diff
> SHA1 (ip_input.urpf.diff) = c76319f619a43f1d031e729d361324d3a4d86daf
Nice !
> Please also note, there's already similar sysctl in ip_input.c -
> it's named ip_checkinterface and does subset of urpf checks, so
> while I don't think this patch is going to make into source tree,
> maybe it's time for someone wiser than me to review the code and
> 'update' ip_input.c code?
If this yet to be found wiser guy would not forget the loose check
too (verrevpath in ipfw speaking), where packets matching the default
route are ok ... :)
Cheers,
- yann
More information about the freebsd-pf
mailing list