implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4)

which optionally verifies that a packet is received on the interface
that holds the route back to the packet's source address. This makes
it an automatic ingress filter, but only when routing is fully
symmetric.

bugfix feedback claudio@; ok claudio@ and dhartmei@

1 files changed, 4 insertions, 1 deletions

diff --git a/sbin/pfctl/pf_print_state.c b/sbin/pfctl/pf_print_state.c
index ec7bfa7060a..3511c5da663 100644
--- a/sbin/pfctl/pf_print_state.c
+++ b/sbin/pfctl/pf_print_state.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_print_state.c,v 1.42 2005/11/04 08:24:15 mcbride Exp $	*/
+/*	$OpenBSD: pf_print_state.c,v 1.43 2006/03/14 11:09:44 djm Exp $	*/
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -96,6 +96,9 @@ print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
 	case PF_ADDR_NOROUTE:
 		printf("no-route");
 		return;
+	case PF_ADDR_URPFFAILED:
+		printf("urpf-failed");
+		return;
 	case PF_ADDR_RTLABEL:
 		printf("route \"%s\"", addr->v.rtlabelname);
 		return;