Julian's source IP address spoofing - code review requested
Adrian Chadd
adrian at freebsd.org
Thu Jan 8 12:14:37 PST 2009
G'day all,
I've finally gotten around to pulling apart some of Julian Elischer's
work on the source IP address spoofing stuff and I've been testing it
on my local squid-2 fork (cacheboy.)
I'd appreciate some comments and review before I begin committing bits
of it to freebsd-current.
The work will be available here, including a brief description of what
is going on:
http://people.freebsd.org/~adrian/sys/spoof_bind/
I'd first like to commit the core changes which introduce a new
compile option, sysctl and IP option to enable a non-local IP address
in bind(). That in itself is enough to at least begin testing under
-current and releng_7.
The diff against -current for this first phase is available here:
http://people.freebsd.org/~adrian/sys/spoof_bind/spoof_bind_sys.diff
I'm currently running just this patch on a machine in the netperf
cluster which is acting as a transparent HTTP interception thing. It
seems to handle "moderate" request rates (~1500 socket creations a
second, ~150mbit). This first patch is pretty straight forward and I'm
reasonably confident that it won't break anything in -current or
releng_7 which isn't already broken.
There are other changes to IPFW and the bridging code which I'll ask
to be reviewed separately.
Thanks!
Adrian
More information about the freebsd-net
mailing list