1 files changed, 15 insertions, 9 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index ff3f219ee4d7..71041c21af9b 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -699,16 +699,22 @@ accept_source_route - BOOLEAN
        default TRUE (router)
                FALSE (host)
-rp_filter - BOOLEAN
+rp_filter - INTEGER
-        1 - do source validation by reversed path, as specified in RFC1812
-            Recommended option for single homed hosts and stub network
-            routers. Could cause troubles for complicated (not loop free)
-            networks running a slow unreliable protocol (sort of RIP),
-            or using static routes.
        0 - No source validation.
+        1 - Strict mode as defined in RFC3704 Strict Reverse Path
-        conf/all/rp_filter must also be set to TRUE to do source validation
+            Each incoming packet is tested against the FIB and if the interface
+            is not the best reverse path the packet check will fail.
+            By default failed packets are discarded.
+        2 - Loose mode as defined in RFC3704 Loose Reverse Path
+            Each incoming packet's source address is also tested against the FIB
+            and if the source address is not reachable via any interface
+            the packet check will fail.
+        Current recommended practice in RFC3704 is to enable strict mode
+        to prevent IP spoofin from DDos attacks. If using asymmetric routing
+        or other complicated routing,t hen loose mode is recommended.
+        conf/all/rp_filter must also be set to non-zero to do source validation
        on the interface
        Default value is 0. Note that some distributions enable it

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ff3f219ee4d7..71041c21af9b 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt
@@ -699,16 +699,22 @@ accept_source_route - BOOLEAN
699	default TRUE (router)	699	default TRUE (router)
700	FALSE (host)	700	FALSE (host)
701		701
702	rp_filter - BOOLEAN	702	rp_filter - INTEGER
703	1 - do source validation by reversed path, as specified in RFC1812
704	Recommended option for single homed hosts and stub network
705	routers. Could cause troubles for complicated (not loop free)
706	networks running a slow unreliable protocol (sort of RIP),
707	or using static routes.
708
709	0 - No source validation.	703	0 - No source validation.
710		704	1 - Strict mode as defined in RFC3704 Strict Reverse Path
711	conf/all/rp_filter must also be set to TRUE to do source validation	705	Each incoming packet is tested against the FIB and if the interface
		706	is not the best reverse path the packet check will fail.
		707	By default failed packets are discarded.
		708	2 - Loose mode as defined in RFC3704 Loose Reverse Path
		709	Each incoming packet's source address is also tested against the FIB
		710	and if the source address is not reachable via any interface
		711	the packet check will fail.
		712
		713	Current recommended practice in RFC3704 is to enable strict mode
		714	to prevent IP spoofin from DDos attacks. If using asymmetric routing
		715	or other complicated routing,t hen loose mode is recommended.
		716
		717	conf/all/rp_filter must also be set to non-zero to do source validation
712	on the interface	718	on the interface
713		719
714	Default value is 0. Note that some distributions enable it	720	Default value is 0. Note that some distributions enable it