Re: IPFW2 versrcreach update

• Previous message: Anil Madhavapeddy: "Set device BD_ADDR via ng_bluetooth"
• In reply to: Andre Oppermann: "Re: IPFW2 versrcreach update"
• Next in thread: Andre Oppermann: "Re: IPFW2 versrcreach update"
• Reply: Andre Oppermann: "Re: IPFW2 versrcreach update"
• Reply: Petri Helenius: "Re: IPFW2 versrcreach update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 21 Jul 2004 07:44:55 -0400
To: Andre Oppermann <andre@freebsd.org>

Andre,

>
> James,
>
> it just occured to me; but what is the purpose of versrcreach denying a
> packet that will be discarded a few cycles later anyway? When I mark
> a route with -reject I want the ICMPs go out and still use the versrcreach
> functionality in ipfw.

The point is to have uRPF loose-check *drop* the packets sourced from IP's that
are null-routed. A null route would discard the packet destined *to* the null
route, but it would never drop a packet *sourced* with an IP within the null
route.

uRPF should not emit an ICMP when it drops a -reject route. Even with
ip unreachables, Cisco won't emit ICMP when uRPF is killing a packet. The source
that triggered uRPF drop condition cannot be trusted as it may have spoofed the
packet.

-J

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Anil Madhavapeddy: "Set device BD_ADDR via ng_bluetooth"
• In reply to: Andre Oppermann: "Re: IPFW2 versrcreach update"
• Next in thread: Andre Oppermann: "Re: IPFW2 versrcreach update"
• Reply: Andre Oppermann: "Re: IPFW2 versrcreach update"
• Reply: Petri Helenius: "Re: IPFW2 versrcreach update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Kernel Panic due to NF_IP_LOCAL_OUT handler calling itself again ... option, I am using kernel 2.6.5, without smp and preemption support. ... describing the source route and the route error. ... ensuring that the packet makes it to the next hop. ... local_out is an icmp dest unreach. ... (Linux-Kernel) Re: routing bug? ... In -current protocol cloning is gone and pointers to an rtentry are no ... This causes a route lookup to be done for ... UDP packet is being sent to determine the source address and thus it ... storing the rtentry pointer in the inpcb at all. ... (freebsd-current) Re: sent an invalid ICMP type 11, code 0 error to a broadcast: 0.0.0.0 on lo? ... > If you ping an IP address on your computer, ... > the lo route filtering altogether. ... ICMP packet, with source address on this same box. ... IF that packet comes from the interface where the default ... (Linux-Kernel) Re: iptables: fake ip using DNAT and SNAT ... Route NAT is no longer supported in Linux 2.6." ... When a packet is destined to an address in this network, the packet is routed to the ham0 inteface. ... No "translation" necessary here, only adding and stripping IP headers. ... This is starting to get ugly, but I had to try:) Now there seems to bee som issues about the source based routing. ... (comp.os.linux.networking) Re: how to interpret route command ... network interface configuration for *receiving* data packets. ... It deals with the IP addresses for network interfaces, ... So when we look at a route table, do not expect to see anything ... necessary to decide on a per packet basis which network gets ... (comp.os.linux.networking)