diff options
| author | Stephen Hemminger <shemminger@vyatta.com> | 2009-02-20 03:25:36 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-02-22 22:54:45 -0500 |
| commit | c1cf8422f0512c2b14f0d66bce34abb0645c888a (patch) | |
| tree | b00499a8eb15d6613cfbce6d2770638b98cb2aae /Documentation/networking | |
| parent | 6dac62d3888a34f5bccbe14222ba77e8877a2e54 (diff) | |
ip: add loose reverse path filtering
Extend existing reverse path filter option to allow strict or loose
filtering. (See http://en.wikipedia.org/wiki/Reverse_path_filtering).
For compatibility with existing usage, the value 1 is chosen for strict mode
and 2 for loose mode.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation/networking')
| -rw-r--r-- | Documentation/networking/ip-sysctl.txt | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ff3f219ee4d7..71041c21af9b 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt | |||
| @@ -699,16 +699,22 @@ accept_source_route - BOOLEAN | |||
| 699 | default TRUE (router) | 699 | default TRUE (router) |
| 700 | FALSE (host) | 700 | FALSE (host) |
| 701 | 701 | ||
| 702 | rp_filter - BOOLEAN | 702 | rp_filter - INTEGER |
| 703 | 1 - do source validation by reversed path, as specified in RFC1812 | ||
| 704 | Recommended option for single homed hosts and stub network | ||
| 705 | routers. Could cause troubles for complicated (not loop free) | ||
| 706 | networks running a slow unreliable protocol (sort of RIP), | ||
| 707 | or using static routes. | ||
| 708 | |||
| 709 | 0 - No source validation. | 703 | 0 - No source validation. |
| 710 | 704 | 1 - Strict mode as defined in RFC3704 Strict Reverse Path | |
| 711 | conf/all/rp_filter must also be set to TRUE to do source validation | 705 | Each incoming packet is tested against the FIB and if the interface |
| 706 | is not the best reverse path the packet check will fail. | ||
| 707 | By default failed packets are discarded. | ||
| 708 | 2 - Loose mode as defined in RFC3704 Loose Reverse Path | ||
| 709 | Each incoming packet's source address is also tested against the FIB | ||
| 710 | and if the source address is not reachable via any interface | ||
| 711 | the packet check will fail. | ||
| 712 | |||
| 713 | Current recommended practice in RFC3704 is to enable strict mode | ||
| 714 | to prevent IP spoofin from DDos attacks. If using asymmetric routing | ||
| 715 | or other complicated routing,t hen loose mode is recommended. | ||
| 716 | |||
| 717 | conf/all/rp_filter must also be set to non-zero to do source validation | ||
| 712 | on the interface | 718 | on the interface |
| 713 | 719 | ||
| 714 | Default value is 0. Note that some distributions enable it | 720 | Default value is 0. Note that some distributions enable it |