diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2006-03-14 11:09:45 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2006-03-14 11:09:45 +0000 |
| commit | e055a9b4aafcec9f3ea194c18c76a6acced4de30 (patch) | |
| tree | 16e79b671c181e22a40833b796ef7d4d3df308a0 /share/man/man5/pf.conf.5 | |
| parent | 5f879104b40ee6ebe805ea5e29d89a98092a3c78 (diff) | |
implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4)
which optionally verifies that a packet is received on the interface
that holds the route back to the packet's source address. This makes
it an automatic ingress filter, but only when routing is fully
symmetric.
bugfix feedback claudio@; ok claudio@ and dhartmei@
Diffstat (limited to 'share/man/man5/pf.conf.5')
| -rw-r--r-- | share/man/man5/pf.conf.5 | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 8149fa961b6..8a844fe474f 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.341 2006/02/20 11:39:43 camield Exp $ +.\" $OpenBSD: pf.conf.5,v 1.342 2006/03/14 11:09:44 djm Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -1296,6 +1296,10 @@ and .Xr route 8 . .It Ar no-route Any address which is not currently routable. +.It Ar urpf-failed +Any source address that fails a unicast reverse path forwarding (URPF) +check, i.e. packets coming in on an interface other than that which holds +the route back to the packet's source address. .It Ar <table> Any address that matches the given table. .El @@ -2533,6 +2537,10 @@ block return log on $ext_if all # block anything coming from source we have no back routes for block in from no-route to any +# block packets whose ingress interface does not match the one in +# the route back to their source address +block in from urpf-failed to any + # block and log outgoing packets that do not have our address as source, # they are either spoofed or something is misconfigured (NAT disabled, # for instance), we want to be nice and do not send out garbage. @@ -2720,7 +2728,7 @@ protospec = "proto" ( proto-name | proto-number | proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] hosts = "all" | - "from" ( "any" | "no-route" | "self" | host | + "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | "{" host-list "}" | "route" string ) [ port ] [ os ] "to" ( "any" | "no-route" | "self" | host | "{" host-list "}" | "route" string ) [ port ] |