diff options
author | andre <andre@FreeBSD.org> | 2004-08-09 16:12:10 +0000 |
---|---|---|
committer | andre <andre@FreeBSD.org> | 2004-08-09 16:12:10 +0000 |
commit | 649b4336f4c3f3c74176cbaa17d1a54288018ba7 (patch) | |
tree | 27711afab76e2f06f811864d8a12773ee41b9de3 /sys/netinet | |
parent | 7f0c7f1817c6d5615439d9cc6ca22f49f538c591 (diff) | |
download | FreeBSD-src-649b4336f4c3f3c74176cbaa17d1a54288018ba7.zip FreeBSD-src-649b4336f4c3f3c74176cbaa17d1a54288018ba7.tar.gz |
New ipfw option "antispoof":
For incoming packets, the packet's source address is checked if it
belongs to a directly connected network. If the network is directly
connected, then the interface the packet came on in is compared to
the interface the network is connected to. When incoming interface
and directly connected interface are not the same, the packet does
not match.
Usage example:
ipfw add deny ip from any to any not antispoof in
Manpage education by: ru
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_fw.h | 1 | ||||
-rw-r--r-- | sys/netinet/ip_fw2.c | 11 |
2 files changed, 12 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index d66335a..62e743d 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -96,6 +96,7 @@ enum ipfw_opcodes { /* arguments (4 byte each) */ O_VERREVPATH, /* none */ O_VERSRCREACH, /* none */ + O_ANTISPOOF, /* none */ O_PROBE_STATE, /* none */ O_KEEP_STATE, /* none */ diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index de6abf3..30e6309 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -2211,6 +2211,16 @@ check_body: verify_path(src_ip, NULL)); break; + case O_ANTISPOOF: + /* Outgoing packets automatically pass/match */ + if (oif == NULL && hlen > 0 && + in_localaddr(src_ip)) + match = verify_path(src_ip, + m->m_pkthdr.rcvif); + else + match = 1; + break; + case O_IPSEC: #ifdef FAST_IPSEC match = (m_tag_find(m, @@ -2844,6 +2854,7 @@ check_ipfw_struct(struct ip_fw *rule, int size) case O_ESTAB: case O_VERREVPATH: case O_VERSRCREACH: + case O_ANTISPOOF: case O_IPSEC: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; |