Re: IPFW2 versrcreach update

From: Andre Oppermann (andre_at_freebsd.org)
Date: 07/20/04

  • Next message: Gleb Smirnoff: "Re: IPFW2 versrcreach update" 
    Date: Tue, 20 Jul 2004 10:04:43 +0200
To: James <haesu@towardex.com>

    James wrote:
    >
    > Andre, et al:
    >
    > Previously, in "My planned work on networking stack" thread, Andre made a patch
    > which allows loose-check uRPF verification using ipfw2. The command syntax is
    > versrcreach as opposed to verrevpath. The versrcreach simply checks if the
    > source address has a route other than default. In other words, pass the packet
    > if the source address is reachable via any interface available where there is a
    > route for. This is useful in multihomed BGP environment (mostly for service
    > providers using FreeBSD as routing platform). The message in which Andre posted
    > patch is below this email, quoted.</preamble>
    >
    > Anyhow, getting straight to business:
    > The uRPF loose-check implementation by the industry vendors, at least on Cisco
    > and possibly Juniper, will fail the check if the route of the source address
    > is pointed to Null0 (on Juniper, discard or reject route). What this means is,
    > even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
    > uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
    > as a pseudo-packet-firewall without using any manual filtering configuration --
    > one can simply inject a IGP or BGP prefix with next-hop set to a static route
    > that directs to null/discard facility. This results in uRPF Loose-check failing
    > on all packets with source addresses that are within the range of the nullroute.
    >
    > Under verify_path() in ip_fw2.c patch Andre provided, I'd like to propose
    > possibly including the following line of change I'm thinking about in my head
    > right now.
    >
    > /* if no ifp provided, check if rtentry is not default route */
    > if (ifp == NULL &&
    > satosin(rt_key(ro.ro_rt))->sin_addr.s_addr == INADDR_ANY) {
    > RTFREE(ro.ro_rt);
    > return 0;
    > }
    >
    > + /* by this point a route is found. check if this is pointed
    > + * to blackhole/reject */
    > + if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE) ) {
    > + RTFREE(ro.ro_rt);
    > + return 0;
    > + }
    >
    > Haven't tested this yet, but will do tomorrow after I finish some other stuff
    > I need done before rebooting w/ a test kernel.

    Tell me what the test results are.

    > Anyway the idea is to fail the check if the route has RTF_REJECT or
    > RTF_BLACKHOLE flag, under loose-check (ifp set to NULL) operation, which is
    > an easy straight forward change.

    How do you set the RTF_REJECT or RTF_BLACKHOLE flags on a route with Zebra/
    Quagga and friends? 

    -- 
Andre
> Thanks,
> -J
> 
> --
> James Jun                                            TowardEX Technologies, Inc.
> Technical Lead                        Network Design, Consulting, IT Outsourcing
> james@towardex.com                  Boston-based Colocation & Bandwidth Services
> cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
> 
> >
> > Here you go:
> >
> >  http://www.nrg4u.com/freebsd/ipfw_versrcreach.diff
> >
> > This one implements the standard functionality, the definition of an
> > interface through which it has to be reachable is not (yet) supported.
> >
> > Using this option only makes sense when you don't have a default route
> > which naturally always matches.  So this is useful for machines acting
> > as routers with a default-free view of the entire Internet as common
> > when running a BGP daemon (Zebra/Quagga or OpenBSD bgpd).
> >
> > One useful way of enabling it globally on a router looks like this:
> >
> >  ipfw add xxxx deny ip from any to any not versrcreach
> >
> > or for an individual interface only:
> >
> >  ipfw add xxxx deny ip from any to any not versrcreach recv fxp0
> >
> > I'd like to get some feedback (and a man page draft) before I commit it
> > to -CURRENT.
> >
> > --
> > Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Gleb Smirnoff: "Re: IPFW2 versrcreach update"

    Relevant Pages

    • IPFW2 versrcreach update
      ... Previously, in "My planned work on networking stack" thread, Andre made a patch ... source address has a route other than default. ... The uRPF loose-check implementation by the industry vendors, ...
      (freebsd-net)
    • Re: IPFW2 versrcreach update
      ... Cisco won't emit ICMP when uRPF is killing a packet. ... Where would the ICMP go anyway because you either donīt have a route to ...
      (freebsd-net)