Re: My planned work on networking stack

Mon, 08 Mar 2004 15:33:10 -0800 

        one feedback I can provide to this patch...

        under [any] interface checks (the loose check mode), if the route
        is pointed toward a discard interface (e.g. ds0 in freebsd, Null0 in cisco),
        drop the packet.

        under cisco, route pointed to null0 creates a null adjacency, even under
        loose-check mode, causing cef to drop the packets originated with source
        of the said route.

-J

On Fri, Mar 05, 2004 at 10:31:35PM +0100, Andre Oppermann wrote:
> Andre Oppermann wrote:
> > 
> > >         there are still other things freebsd lacks. such as uRPF that 
> > > _SERVICE_PROVIDER_
> > >         can use. ipfw2 has verrevpath but all it does from what i know is strict 
> > > uRPF
> > >         only. service providers like myself, if we were to use freebsd boxen to 
> > > run our
> > >         network, i am not spending money on a router that doesn't do loose-check 
> > > uRPF.
> > >         this sounds like something linux does too but i refuse to use that :P
> > 
> > That is pretty easy to implement.  I should have it by Friday at latest,
> > depends on when exactly I find time for it.
> > 
> >  ip verify unicast source reachable-via [any|ifn]
> > 
> > The ipfw2 command would look like this: ... versrcreach [fxp0]
> 
> Here you go:
> 
>  http://www.nrg4u.com/freebsd/ipfw_versrcreach.diff
> 
> This one implements the standard functionality, the definition of an
> interface through which it has to be reachable is not (yet) supported.
> 
> Using this option only makes sense when you don't have a default route
> which naturally always matches.  So this is useful for machines acting
> as routers with a default-free view of the entire Internet as common
> when running a BGP daemon (Zebra/Quagga or OpenBSD bgpd).
> 
> One useful way of enabling it globally on a router looks like this:
> 
>  ipfw add xxxx deny ip from any to any not versrcreach
> 
> or for an individual interface only:
> 
>  ipfw add xxxx deny ip from any to any not versrcreach recv fxp0
> 
> I'd like to get some feedback (and a man page draft) before I commit it
> to -CURRENT.
> 
> -- 
> Andre

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
[EMAIL PROTECTED]                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to