Julian's source IP address spoofing - code review requested
    Adrian Chadd 
    adrian at freebsd.org
       
    Thu Jan  8 14:18:16 PST 2009
    
    
  
2009/1/8 Julian Elischer <julian at elischer.org>:
> I see you always call ether_demux when a packet is moved up..
s/you/you/ :)
This is all your stuff IIRC, I just ported and commented as required.
> hopefully that will also work if an interface is NOT ethernet?
this is why i left the ethernet bridge interception stuff out in a
seperate diff.
I'll commit it only once I've spoken to bridge-cluey people and have
their blessing.
> hey I know I originally wrote this but it's been a while and
> I must say I was following tracks made by others, and we
> are using aonly a subset of possible hardware...
Well, its entirely possible this stuff will be deployed in two scenarios:
* where its all done at the IP layer, eg policy routing, IPFW
* where its being done as part of a transparent ethernet bridge
> FYI we will probably switch to a single netgraph node that
> does bridging and filtering combined in 7.x :-)
That'd certainly be nicer. ;)
About the only thing I'm looking to add to this later on is to flesh
out IPv6 source address spoofing too, just in case V6 catches on.
Adrian
    
    
More information about the freebsd-net
mailing list