Created attachment 217912 [details]
New netgraph node type: ng_antispoof This introduces a new netgraph node type that prevents the upstream network from spoofing ethernet and IP addresses. It is called 'ng_antispoof' (name is open for debate, of course). What it does: It validates the upstream address each packet against a set of rules. If at least one rule matches, the packet is passed through, otherwise it is blocked. Each rule consists of a ethernet address and a IP or IPv6 address (in a simplified point of view). How it works: Each node provides three hooks: - 'filter': Where to connect the upstream node to be protected (e.g. a jail, a VM, ...).
- 'downstream': Downstream node (e.g. a bridge device, the internet, ...).
- 'nomatch': Useful for debugging with tcpdump. If connected, blocked traffic is forwarded on this hook instead of being discarded. This is output only, traffic arriving on this hook is immediately discarded. ___ +----------------+ __.( ).__ | | ( downstream )| | .._ ( ) _ _.. | | I==========I | ng_antispoof |I filter I | | I==========I nomatch
Support the originator by clicking the read the rest link below.
