Adrian Chadd wrote:
G'day all,
I've finally gotten around to pulling apart some of Julian Elischer's
work on the source IP address spoofing stuff and I've been testing it
on my local squid-2 fork (cacheboy.)
I'd appreciate some comments and review before I begin committing bits
of it to freebsd-current.
The work will be available here, including a brief description of what
is going on:
http://people.freebsd.org/~adrian/sys/spoof_bind/
Well the for_me rule in ipfw may have similar problems that
the uid rules had WRT Lock order. I notice you are using a read lock
which may solve that problem.
I see you always call ether_demux when a packet is moved up..
hopefully that will also work if an interface is NOT ethernet?
hey I know I originally wrote this but it's been a while and
I must say I was following tracks made by others, and we
are using aonly a subset of possible hardware...
I'd first like to commit the core changes which introduce a new
compile option, sysctl and IP option to enable a non-local IP address
in bind(). That in itself is enough to at least begin testing under
-current and releng_7.
the logical equivalent of this code (not prettied up) has been
in Ironport's FreeBSD since 4.x.
The code in if_bridge is new as we used the old bridge code,
but it 's logically similar.
FYI we will probably switch to a single netgraph node that
does bridging and filtering combined in 7.x :-)
The diff against -current for this first phase is available here:
http://people.freebsd.org/~adrian/sys/spoof_bind/spoof_bind_sys.diff
I'm currently running just this patch on a machine in the netperf
cluster which is acting as a transparent HTTP interception thing. It
seems to handle "moderate" request rates (~1500 socket creations a
second, ~150mbit). This first patch is pretty straight forward and I'm
reasonably confident that it won't break anything in -current or
releng_7 which isn't already broken.
For others, this is a patch that allows the proxy to be a "bump on
the wire" It is proxying between two segments of the same subnet,
completely transparently (assuming you do server side spoofing too.)
There are other changes to IPFW and the bridging code which I'll ask
to be reviewed separately.
Thanks!
Adrian
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
