From owner-cvs-all@FreeBSD.ORG  Wed Jul 21 19:55:15 2004
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 293F316A4CE; Wed, 21 Jul 2004 19:55:15 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 22F2D43D4C; Wed, 21 Jul 2004 19:55:15 +0000 (GMT)
	(envelope-from andre@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.11/8.12.11) with ESMTP id i6LJtFN9069105;
	Wed, 21 Jul 2004 19:55:15 GMT
	(envelope-from andre@repoman.freebsd.org)
Received: (from andre@localhost)
	by repoman.freebsd.org (8.12.11/8.12.11/Submit) id i6LJtEIl069104;
	Wed, 21 Jul 2004 19:55:14 GMT
	(envelope-from andre)
Message-Id: <200407211955.i6LJtEIl069104@repoman.freebsd.org>
From: Andre Oppermann <andre@FreeBSD.org>
Date: Wed, 21 Jul 2004 19:55:14 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/netinet ip_fw2.c src/sbin/ipfw ipfw.8
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2004 19:55:15 -0000

andre       2004-07-21 19:55:14 UTC

  FreeBSD src repository

  Modified files:
    sys/netinet          ip_fw2.c 
    sbin/ipfw            ipfw.8 
  Log:
  Extend versrcreach by checking against the rt_flags for RTF_REJECT and
  RTF_BLACKHOLE as well.
  
  To quote the submitter:
  
   The uRPF loose-check implementation by the industry vendors, at least on Cisco
   and possibly Juniper, will fail the check if the route of the source address
   is pointed to Null0 (on Juniper, discard or reject route). What this means is,
   even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
   uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
   as a pseudo-packet-firewall without using any manual filtering configuration --
   one can simply inject a IGP or BGP prefix with next-hop set to a static route
   that directs to null/discard facility. This results in uRPF Loose-check failing
   on all packets with source addresses that are within the range of the nullroute.
  
  Submitted by:   James Jun <james@towardex.com>
  
  Revision  Changes    Path
  1.147     +2 -2      src/sbin/ipfw/ipfw.8
  1.66      +6 -0      src/sys/netinet/ip_fw2.c