aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Documentation/networking/ip-sysctl.txt24
-rw-r--r--net/ipv4/fib_frontend.c2
2 files changed, 16 insertions, 10 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index ff3f219ee4d7..71041c21af9b 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -699,16 +699,22 @@ accept_source_route - BOOLEAN
699 default TRUE (router) 699 default TRUE (router)
700 FALSE (host) 700 FALSE (host)
701 701
702rp_filter - BOOLEAN 702rp_filter - INTEGER
703 1 - do source validation by reversed path, as specified in RFC1812
704 Recommended option for single homed hosts and stub network
705 routers. Could cause troubles for complicated (not loop free)
706 networks running a slow unreliable protocol (sort of RIP),
707 or using static routes.
708
709 0 - No source validation. 703 0 - No source validation.
710 704 1 - Strict mode as defined in RFC3704 Strict Reverse Path
711 conf/all/rp_filter must also be set to TRUE to do source validation 705 Each incoming packet is tested against the FIB and if the interface
706 is not the best reverse path the packet check will fail.
707 By default failed packets are discarded.
708 2 - Loose mode as defined in RFC3704 Loose Reverse Path
709 Each incoming packet's source address is also tested against the FIB
710 and if the source address is not reachable via any interface
711 the packet check will fail.
712
713 Current recommended practice in RFC3704 is to enable strict mode
714 to prevent IP spoofin from DDos attacks. If using asymmetric routing
715 or other complicated routing,t hen loose mode is recommended.
716
717 conf/all/rp_filter must also be set to non-zero to do source validation
712 on the interface 718 on the interface
713 719
714 Default value is 0. Note that some distributions enable it 720 Default value is 0. Note that some distributions enable it
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 741e4fa3e474..cafcc49d0993 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -275,7 +275,7 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
275 fib_res_put(&res); 275 fib_res_put(&res);
276 if (no_addr) 276 if (no_addr)
277 goto last_resort; 277 goto last_resort;
278 if (rpf) 278 if (rpf == 1)
279 goto e_inval; 279 goto e_inval;
280 fl.oif = dev->ifindex; 280 fl.oif = dev->ifindex;
281 281