Excerpts from internet.computing.firewalls: 1-Aug-96 Re: How secure is
xinetd's .. by Don Lewis @
tsc .
tdk .
com
>
> if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
> if (ia->ia_ifp == ifp)
> goto ours;
> else
> it came in on the wrong interface, log it
This code would work beautifully if ipintr had ifp, a pointer to the
interface the packet was received on. Unfortunately, BSD networking
code never records the interface a pakcet was received on. When an
ethernet packet is received, ether_input never records ifp for future
reference. This means that any ifp ipintr has must have been derived
from the recieving address, so the check will always pass. To get this
to work correctly requires a kind of big hack, because the IP code
doesn't even see the ethernet address of the interface. I see two
options here:
1) Try to have to IP code walk backwards on queued packets to extract
the ethernet address and match it with the interface. Not good because
we can't guarantee that walking back into the ethernet header will work,
it is low-level protocol dependent. Also, depending on the
implemtation, the ethernet header may already have been discarded.
2) Add a field to the packet queue which holds the interface the packet
was received on. This is ok, but means all input mechanisms (SLIP,
loopback, PPP, ethernet) must do this, adding overhead. In addition, in
systems which support dynamic interfaces (like Linux's IP aliasing), we
can't guarantee that a pointer will work, because the interface may not
exist anymore. This is, IMHO, the correct behavior.
I am going to implement 2) for Linux, hopefully by the end of 7 days and
7 nights.
Zach Amsden
amsden @
andrew .
cmu .
edu
Follow-Ups:
References:
|
|
