diff options
author | andre <andre@FreeBSD.org> | 2004-04-23 14:28:38 +0000 |
---|---|---|
committer | andre <andre@FreeBSD.org> | 2004-04-23 14:28:38 +0000 |
commit | d4f49f008f33c4f8764a222f33a2c7469a2bed19 (patch) | |
tree | 409e5a1193422d7cff37e0eac1786413b8e0b686 /sys/netinet/ip_fw.h | |
parent | e8723e5528fcaf8fa35c8432a0f4aedfe76cb723 (diff) | |
download | FreeBSD-src-d4f49f008f33c4f8764a222f33a2c7469a2bed19.zip FreeBSD-src-d4f49f008f33c4f8764a222f33a2c7469a2bed19.tar.gz |
Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table. The
default route is ignored because it would match everything and
render the check pointless.
This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.
Example:
ipfw add 1000 deny ip from any to any not versrcreach
also known in Cisco-speak as:
ip verify unicast source reachable-via any
Reviewed by: luigi
Diffstat (limited to 'sys/netinet/ip_fw.h')
-rw-r--r-- | sys/netinet/ip_fw.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 8e3047d..7258b6c 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -95,6 +95,7 @@ enum ipfw_opcodes { /* arguments (4 byte each) */ O_TCPOPTS, /* arg1 = 2*u8 bitmap */ O_VERREVPATH, /* none */ + O_VERSRCREACH, /* none */ O_PROBE_STATE, /* none */ O_KEEP_STATE, /* none */ |