14

I have an Ubuntu 16.04 Server which is acting as a router with multiple (VLAN) interfaces. By default, rp_filter (reverse path filtering) is enabled for all interfaces. I want to keep it that way, but make an exception for exactly one interface. (Packets from this interface should be allowed to have a source IP address which does not correspond to any routing destination address of this interface.)

Let's say this interface has the name ens20.4, its vlan-raw-device is ens20, and the destination interface (for testing the packet flow) is named ens20.2 (though it should work for any destination interface).

I tried to set the rp_filter property for ens20.4 only, without success:

echo 0 > /proc/sys/net/ipv4/conf/ens20.4/rp_filter

So, for testing purposes, I also disabled rp_filter for the vlan-raw-device and the testing destination interface:

echo 0 > /proc/sys/net/ipv4/conf/ens20/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ens20.2/rp_filter

Still no success, packets with a "spoofed" source IP address are still dropped. Only if I disable rp_filter for all interfaces, packets get through:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

However, I still want to keep the reverse path filtering for all the other interfaces - what am I missing?

Cybran
  • 412
  • 2
  • 6
  • 15
  • Some more testing revealed that reverse path filtering is active if rp_filter is set to 1 for either all or the inbound interface. Still looking for a definitive answer or documentation reference though, which I was not able to find so far. – Cybran Nov 22 '16 at 18:05

1 Answers1

17

Info there: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/Documentation/networking/ip-sysctl.txt?h=v4.9#n1090

Note the last sentence that would explain your attempts:

The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}.

So this should work:

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > "$i"
done
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ens20.4/rp_filter

Now max(conf/{all,ens20.4}/rp_filter == 0 : no source validation. Just double-check that the other interfaces are still protected.

You can also check "loose" rpf with the value 2. In case the packet should normally be routed by an other interface, that would be better than no validation.

A.B
  • 9,037
  • 2
  • 19
  • 37
  • 3
    Thank you, that explains it very well! Special thanks for the "loose" rpf suggestion, which is indeed the better choice for my setup. Also makes it unnecessary to set all/rp_filter to 0, which is most welcome. – Cybran Nov 22 '16 at 20:18