[Xorp-hackers] Implementing reverse path filtering and packet marking

[Kristian Larsson]

On Tue, Apr 18, 2006 at 12:05:48AM -0400, Craig Shue wrote:
> Greetings,
> 
> I am interested in implementing a form of Reverse Path Filtering. This
> process is similar to ingress filtering that is performed by consulting
> the BGP FIB/RIB and accepting packets only from address ranges reachable
> through the interface (based on routing advertisements, static routes,
> etc.). Afterwards, I would like to experiment by adding a prefix-indexed
> table for this lookup and perform packet marking in the IP options field.
> 
> I have been looking around in the FEA section and documentation.
> However, I am rather unclear about how/where the regular packet
> processing is actually happening. I am seeing raw packet handling
> functions, but they don't seem like they are for typical packets. Could
> anyone point me to some detailed documentation on this or explain it a bit?
The code in the FEA section is only for traffic
actually destined for XORP, that is routing
protocol traffic and such. The actual forwarding
of traffic is not handled by XORP, it is done
inside the kernel.
Thus it is the kernel that should support the RPF
check. Linux already does this, please have a look
at /proc/sys/net/ipv4/conf/*/rp_filter

AFAIK, FreeBSD is lacking this functionality,
just like many other OSes out there so indeed
there is some work to do :)
> 
> Also, if you have any pointers or general advice on how to proceed, it
> would be greatly appreciated.
>
> Thank you for your time,

Regards,
  Kristian