New ipfw option "antispoof":

 For incoming packets, the packet's source address is checked if it
 belongs to a directly connected network.  If the network is directly
 connected, then the interface the packet came on in is compared to
 the interface the network is connected to.  When incoming interface
 and directly connected interface are not the same, the packet does
 not match.

Usage example:

 ipfw add deny ip from any to any not antispoof in

Manpage education by:	ru

1 files changed, 11 insertions, 0 deletions

diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index de6abf3..30e6309 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -2211,6 +2211,16 @@ check_body:
 				     verify_path(src_ip, NULL));
 				break;
 
+			case O_ANTISPOOF:
+				/* Outgoing packets automatically pass/match */
+				if (oif == NULL && hlen > 0 &&
+				    in_localaddr(src_ip))
+					match = verify_path(src_ip,
+							m->m_pkthdr.rcvif);
+				else
+					match = 1;
+				break;
+
 			case O_IPSEC:
 #ifdef FAST_IPSEC
 				match = (m_tag_find(m,
@@ -2844,6 +2854,7 @@ check_ipfw_struct(struct ip_fw *rule, int size)
 		case O_ESTAB:
 		case O_VERREVPATH:
 		case O_VERSRCREACH:
+		case O_ANTISPOOF:
 		case O_IPSEC:
 			if (cmdlen != F_INSN_SIZE(ipfw_insn))
 				goto bad_size;