From 55db762b76549714a25d90630b7dcf6f360fb90c Mon Sep 17 00:00:00 2001 From: Andre Oppermann Date: Wed, 21 Jul 2004 19:55:14 +0000 Subject: [PATCH] Extend versrcreach by checking against the rt_flags for RTF_REJECT and RTF_BLACKHOLE as well. To quote the submitter: The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute. Submitted by: James Jun --- sbin/ipfw/ipfw.8 | 4 ++-- sys/netinet/ip_fw2.c | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 9197b6b12285..e985fa920c7c 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1267,8 +1267,8 @@ packets with source addresses not from this interface. .It Cm versrcreach For incoming packets, a routing table lookup is done on the packet's source address. -If a route to the source address exists, but not the default route, -the packet matches. +If a route to the source address exists, but not the default route +or a blackhole/reject route, the packet matches. Otherwise the packet does not match. All outgoing packets match. .Pp diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 0b6f754a6e4e..de6abf336754 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -506,6 +506,12 @@ verify_path(struct in_addr src, struct ifnet *ifp) return 0; } + /* or if this is a blackhole/reject route */ + if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { + RTFREE(ro.ro_rt); + return 0; + } + /* found valid route */ RTFREE(ro.ro_rt); return 1;