Add the option versrcreach to verify that a valid route to the

source address of a packet exists in the routing table. The default route is ignored because it would match everything and render the check pointless. This option is very useful for routers with a complete view of the Internet (BGP) in the routing table to reject packets with spoofed or unrouteable source addresses. Example: ipfw add 1000 deny ip from any to any not versrcreach also known in Cisco-speak as: ip verify unicast source reachable-via any Reviewed by: luigi
author: andre <andre@FreeBSD.org> 2004-04-23 14:28:38 +0000
committer: andre <andre@FreeBSD.org> 2004-04-23 14:28:38 +0000
commit: d4f49f008f33c4f8764a222f33a2c7469a2bed19 (patch)
tree: 409e5a1193422d7cff37e0eac1786413b8e0b686 /sys/netinet/ip_fw.h
parent: e8723e5528fcaf8fa35c8432a0f4aedfe76cb723 (diff)
download: FreeBSD-src-d4f49f008f33c4f8764a222f33a2c7469a2bed19.zip
FreeBSD-src-d4f49f008f33c4f8764a222f33a2c7469a2bed19.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index 8e3047d..7258b6c 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -95,6 +95,7 @@ enum ipfw_opcodes {		/* arguments (4 byte each)	*/
 	O_TCPOPTS,		/* arg1 = 2*u8 bitmap		*/
 
 	O_VERREVPATH,		/* none				*/
+	O_VERSRCREACH,		/* none				*/
 
 	O_PROBE_STATE,		/* none				*/
 	O_KEEP_STATE,		/* none				*/
author	andre <andre@FreeBSD.org>	2004-04-23 14:28:38 +0000
committer	andre <andre@FreeBSD.org>	2004-04-23 14:28:38 +0000
commit	d4f49f008f33c4f8764a222f33a2c7469a2bed19 (patch)
tree	409e5a1193422d7cff37e0eac1786413b8e0b686 /sys/netinet/ip_fw.h
parent	e8723e5528fcaf8fa35c8432a0f4aedfe76cb723 (diff)
download	FreeBSD-src-d4f49f008f33c4f8764a222f33a2c7469a2bed19.zip FreeBSD-src-d4f49f008f33c4f8764a222f33a2c7469a2bed19.tar.gz