OpenBSD Gains Source Routing

Contributed by sean on 2004-06-07 from the yet another feature dept.

Robert Mooney writes:

Cedric Berger has checked in changes to the routing subsystem that allows packets to be routed based on their source address.
Cool stuff.

Here's the commit message:

CVSROOT:	/cvs
Module name:	src 
Changes by:	cedric@cvs.openbsd.org	2004/06/06 10:49:09 

Modified files:	 

sys/conf       : files 	
sys/net        : pf.c route.c route.h rtsock.c
sys/netinet    : in.h in_pcb.c ip_icmp.c ip_input.c ip_output.c ip_var.h
Added files:
sys/net        : route_src.c 
Log message:
extend routing table to be able to match and route packets based ontheir *source* 
IP address in addition to their destination address.routing table "destination" now 
contains a "struct sockaddr_rtin"for IPv4 instead of a "struct sockaddr_in".the
routing socket has been extended in a backward-compatible way.todo: PMTU enhancements,
ok deraadt@ mcbride@

(Comments are closed)

Comments

By Anonymous Coward (67.153.107.130) on 2004-06-07 16:55

great, more ways to screw up routing. :P
Comments
1. By Lennie (82.74.129.164) on 2004-06-09 21:48
  
  Ooh, I actually didn't know they did _not_ have it, it's actually something I need in some obscure situation.
  
  Well, they do now (in current only so, it's still months away from normal use), no worries, then. :-)
  
  I wonder what other policy routing I might be missing out on when I'd go with OpenBSD, instead of my current Linux router.
  
  I'm almost afraid Linux has better routing support, but OpenBSD is the better firewall.
  
  Maybe that's how I'll handle it, then. Using the tool for the job.
  
  BTW Does any1 know of an 'opensource' transparant HTTP-application-proxy ?
  
  So, you'd have a bridge and then pass packets for port 80 to the webserver through the HTTP-application-proxy, but the packets would still seem to come from the original IP, not the proxy.
  
  I'm really interrested in this as a solution to filter (with for example apache2/mod_securty) scary things from hitting webservers.
  Comments
  1. By Brad (216.209.80.7) brad at comstyle dot com on 2004-06-11 16:33
    
    You could do this with PF before anyway.
  2. By nullogic (24.98.72.110) on 2004-06-24 00:53
    
    transparent proxy: http://squid.visolve.com/squid/sqguide.htm google is your friend
2. By Gernot (213.47.70.127) on 2004-08-01 20:23
  
  Doesn't policy routing intrinsically screw up routing? It's up to your judgement whether the pros outweigh the cons. There are very good reasons why people want policy routing.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]