[feature] ipfw verrevpath/versrcreach?

Yann Berthier yb at bashibuzuk.net
Sun Jan 1 11:40:08 PST 2006


   Hello,

On Sun, 01 Jan 2006, at 20:58, Gleb Smirnoff wrote:

> On Sat, Dec 31, 2005 at 12:50:57AM +0100, ?ukasz Bromirski wrote:
> ?> Is there by any chance work being done on pf to include functionality
> ?> that is present in FreeBSD ipfw, that checks if packet entered
> ?> router via correct interface as pointed out by routing table?
> ?> 
> ?> I know there is antispoof, but it's simple check of connected network
> ?> and interface address, not full lookup to routing table contents.
> ?> On ipfw it's called verrevpath (checking if routing table points
> ?> for this source IP to the interface it came on) and versrcreach
> ?> (the same but default and blackhole routes don't count).
> 
> Implementing this feature is very easy. The code that does this
> check is only a few lines. You can just copy and paste code from
> ipfw(4) and add new keywords to pf(4). Then submit patch to Daniel
> and Max.

   Is there reasons to not implement conditionaly these checks (the
   strict and the loose mode) in the stack itself, in the same vein than
   say ithe blackhole or the drop_synfin checks ? Just curious - but
   uRPF filtering can be very handy, and i don't need full-fledged
   filtering on every machine.

   Regards,

      - yann


More information about the freebsd-pf mailing list