Date: Thu, 8 Jan 2009 17:18:15 -0500 From: "Adrian Chadd" <adrian@freebsd.org> To: "Julian Elischer" <julian@elischer.org> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: Julian's source IP address spoofing - code review requested Message-ID: <d763ac660901081418j4d29b589od90992283b3ad303@mail.gmail.com> In-Reply-To: <49666189.9010406@elischer.org> References: <d763ac660901081146s7827298aj486c2acca0e650f9@mail.gmail.com> <49666189.9010406@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/1/8 Julian Elischer <julian@elischer.org>: > I see you always call ether_demux when a packet is moved up.. s/you/you/ :) This is all your stuff IIRC, I just ported and commented as required. > hopefully that will also work if an interface is NOT ethernet? this is why i left the ethernet bridge interception stuff out in a seperate diff. I'll commit it only once I've spoken to bridge-cluey people and have their blessing. > hey I know I originally wrote this but it's been a while and > I must say I was following tracks made by others, and we > are using aonly a subset of possible hardware... Well, its entirely possible this stuff will be deployed in two scenarios: * where its all done at the IP layer, eg policy routing, IPFW * where its being done as part of a transparent ethernet bridge > FYI we will probably switch to a single netgraph node that > does bridging and filtering combined in 7.x :-) That'd certainly be nicer. ;) About the only thing I'm looking to add to this later on is to flesh out IPv6 source address spoofing too, just in case V6 catches on. Adrian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d763ac660901081418j4d29b589od90992283b3ad303>