Add a 'verrevpath' option that verifies the interface that a packet

comes in on is the same interface that we would route out of to get to the packet's source address. Essentially automates an anti-spoofing check using the information in the routing table. Experimental. The usage and rule format for the feature may still be subject to change.
author: cjc <cjc@FreeBSD.org> 2003-03-15 01:13:00 +0000
committer: cjc <cjc@FreeBSD.org> 2003-03-15 01:13:00 +0000
commit: 94a234c212a5c9dd2d1959aeac7d473f32edc469 (patch)
tree: f3840357a5e252c7a31e997e327412353b89ccd6 /sys/netinet/ip_fw.h
parent: aa8043306969e886fb266c66019106348e6fc690 (diff)
download: FreeBSD-src-94a234c212a5c9dd2d1959aeac7d473f32edc469.zip
FreeBSD-src-94a234c212a5c9dd2d1959aeac7d473f32edc469.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index b3fffb8..f2b932e 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -89,6 +89,8 @@ enum ipfw_opcodes {		/* arguments (4 byte each)	*/
 	O_ICMPTYPE,		/* u32 = icmp bitmap		*/
 	O_TCPOPTS,		/* arg1 = 2*u8 bitmap		*/
 
+	O_VERREVPATH,		/* none				*/
+
 	O_PROBE_STATE,		/* none				*/
 	O_KEEP_STATE,		/* none				*/
 	O_LIMIT,		/* ipfw_insn_limit		*/
author	cjc <cjc@FreeBSD.org>	2003-03-15 01:13:00 +0000
committer	cjc <cjc@FreeBSD.org>	2003-03-15 01:13:00 +0000
commit	94a234c212a5c9dd2d1959aeac7d473f32edc469 (patch)
tree	f3840357a5e252c7a31e997e327412353b89ccd6 /sys/netinet/ip_fw.h
parent	aa8043306969e886fb266c66019106348e6fc690 (diff)
download	FreeBSD-src-94a234c212a5c9dd2d1959aeac7d473f32edc469.zip FreeBSD-src-94a234c212a5c9dd2d1959aeac7d473f32edc469.tar.gz