diff options
-rw-r--r-- | Documentation/networking/ip-sysctl.txt | 24 | ||||
-rw-r--r-- | net/ipv4/fib_frontend.c | 2 |
2 files changed, 16 insertions, 10 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ff3f219ee4d7..71041c21af9b 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt | |||
@@ -699,16 +699,22 @@ accept_source_route - BOOLEAN | |||
699 | default TRUE (router) | 699 | default TRUE (router) |
700 | FALSE (host) | 700 | FALSE (host) |
701 | 701 | ||
702 | rp_filter - BOOLEAN | 702 | rp_filter - INTEGER |
703 | 1 - do source validation by reversed path, as specified in RFC1812 | ||
704 | Recommended option for single homed hosts and stub network | ||
705 | routers. Could cause troubles for complicated (not loop free) | ||
706 | networks running a slow unreliable protocol (sort of RIP), | ||
707 | or using static routes. | ||
708 | |||
709 | 0 - No source validation. | 703 | 0 - No source validation. |
710 | 704 | 1 - Strict mode as defined in RFC3704 Strict Reverse Path | |
711 | conf/all/rp_filter must also be set to TRUE to do source validation | 705 | Each incoming packet is tested against the FIB and if the interface |
706 | is not the best reverse path the packet check will fail. | ||
707 | By default failed packets are discarded. | ||
708 | 2 - Loose mode as defined in RFC3704 Loose Reverse Path | ||
709 | Each incoming packet's source address is also tested against the FIB | ||
710 | and if the source address is not reachable via any interface | ||
711 | the packet check will fail. | ||
712 | |||
713 | Current recommended practice in RFC3704 is to enable strict mode | ||
714 | to prevent IP spoofin from DDos attacks. If using asymmetric routing | ||
715 | or other complicated routing,t hen loose mode is recommended. | ||
716 | |||
717 | conf/all/rp_filter must also be set to non-zero to do source validation | ||
712 | on the interface | 718 | on the interface |
713 | 719 | ||
714 | Default value is 0. Note that some distributions enable it | 720 | Default value is 0. Note that some distributions enable it |
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 741e4fa3e474..cafcc49d0993 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c | |||
@@ -275,7 +275,7 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif, | |||
275 | fib_res_put(&res); | 275 | fib_res_put(&res); |
276 | if (no_addr) | 276 | if (no_addr) |
277 | goto last_resort; | 277 | goto last_resort; |
278 | if (rpf) | 278 | if (rpf == 1) |
279 | goto e_inval; | 279 | goto e_inval; |
280 | fl.oif = dev->ifindex; | 280 | fl.oif = dev->ifindex; |
281 | 281 | ||