Date: Wed, 21 Jul 2004 19:55:14 +0000 (UTC) From: Andre Oppermann <andre@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_fw2.c src/sbin/ipfw ipfw.8 Message-ID: <200407211955.i6LJtEIl069104@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
andre 2004-07-21 19:55:14 UTC
FreeBSD src repository
Modified files:
sys/netinet ip_fw2.c
sbin/ipfw ipfw.8
Log:
Extend versrcreach by checking against the rt_flags for RTF_REJECT and
RTF_BLACKHOLE as well.
To quote the submitter:
The uRPF loose-check implementation by the industry vendors, at least on Cisco
and possibly Juniper, will fail the check if the route of the source address
is pointed to Null0 (on Juniper, discard or reject route). What this means is,
even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
as a pseudo-packet-firewall without using any manual filtering configuration --
one can simply inject a IGP or BGP prefix with next-hop set to a static route
that directs to null/discard facility. This results in uRPF Loose-check failing
on all packets with source addresses that are within the range of the nullroute.
Submitted by: James Jun <james@towardex.com>
Revision Changes Path
1.147 +2 -2 src/sbin/ipfw/ipfw.8
1.66 +6 -0 src/sys/netinet/ip_fw2.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407211955.i6LJtEIl069104>