>> if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
>> if (ia->ia_ifp == ifp)
>> goto ours;
>> else
>> it came in on the wrong interface, log it
>From: Zachary Roger Amsden <amsden+ @
andrew .
cmu .
edu>
>This code would work beautifully if ipintr had ifp, a pointer to the
>interface the packet was received on. Unfortunately, BSD networking
>code never records the interface a pakcet was received on. When an
>ethernet packet is received, ether_input never records ifp for future
>reference. This means that any ifp ipintr has must have been derived
>from the recieving address, so the check will always pass. To get this
Be careful there. While what you said may be true of BSD-based networking
code in just about every currently shipping OS, it certainly isn't true
for SunOS 4.1.x, which is what I was writing about when I sent that message
to this list in early 1995. If your ipintr() has a line of code in it like:
IF_DEQUEUEIF(m, &ifreq, &ifp)
then you do have an ifp you can trust, as it was sitting right before the
IP packet and IF_DEQUEUEIF adjusted the mbuf to point past it. I've tried
this, sitting outside a dual-homed bastion with an attack machine, with a
static route to an inside network pointing at the bastion, and watched the
kernel log and drop packets that came in on the wrong interface. I ended
up tossing in code to send an ICMP network unreachable when this happened
and it all worked the way I expected.
Jonathan Hue jhue @
crl .
com
|
|
