Scribd
Upload
74 views2 pages

Disabling RP - Filter On One Interface

The document discusses disabling reverse path filtering (rp_filter) for a single interface on an Ubuntu 16.04 server configured as a router. Setting rp_filter to 0 for just the target interface did not work, but setting it to 0 for all interfaces did. The response explains that rp_filter uses the maximum value between the interface and "all" settings, so setting all interfaces to 1 except the target interface set to 0 or 2 ("loose" rpf) achieves the goal of disabling it only on that one interface.

Uploaded by

Jeff Sessions
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views2 pages

Disabling RP - Filter On One Interface

The document discusses disabling reverse path filtering (rp_filter) for a single interface on an Ubuntu 16.04 server configured as a router. Setting rp_filter to 0 for just the target interface did not work, but setting it to 0 for all interfaces did. The response explains that rp_filter uses the maximum value between the interface and "all" settings, so setting all interfaces to 1 except the target interface set to 0 or 2 ("loose" rpf) achieves the goal of disabling it only on that one interface.

Uploaded by

Jeff Sessions
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

3/20/2019 Disabling rp_filter on one interface

Disabling rp_filter on one interface


[+9] [1] Cybran
[2016-11-22 [Link]
[ linux routing kernel ubuntu-16.04 filtering ]
[ [Link] ]

I have an Ubuntu 16.04 Server which is acting as a router with multiple (VLAN) interfaces. By default,
rp_filter (reverse path filtering) is enabled for all interfaces. I want to keep it that way, but make an
exception for exactly one interface. (Packets from this interface should be allowed to have a source IP address
which does not correspond to any routing destination address of this interface.)

Let's say this interface has the name ens20.4, its vlan-raw-device is ens20, and the destination interface (for
testing the packet flow) is named ens20.2 (though it should work for any destination interface).

I tried to set the rp_filter property for ens20.4 only, without success:

echo 0 > /proc/sys/net/ipv4/conf/ens20.4/rp_filter

So, for testing purposes, I also disabled rp_filter for the vlan-raw-device and the testing destination
interface:

echo 0 > /proc/sys/net/ipv4/conf/ens20/rp_filter


echo 0 > /proc/sys/net/ipv4/conf/ens20.2/rp_filter

Still no success, packets with a "spoofed" source IP address are still dropped. Only if I disable rp_filter for
all interfaces, packets get through:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

However, I still want to keep the reverse path filtering for all the other interfaces - what am I missing?

Some more testing revealed that reverse path filtering is active if rp_filter is set to 1 for either all or the inbound interface. Still
looking for a definitive answer or documentation reference though, which I was not able to find so far. - Cybran
Could you add an example? You'd have to give ip address and routing tables as well as an example incoming packet. - A.B

[+10] [2016-11-22 [Link] A.B [ ACCEPTED]

Info there: [Link]


[Link]/tree/Documentation/networking/[Link]?h=v4.9#n1090

Note the last sentence that would explain your attempts:

The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}.

So this should work:

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > "$i"
done
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ens20.4/rp_filter

Now max(conf/{all,ens20.4}/rp_filter == 0 : no source validation. Just double-check that the other interfaces are still
protected.

You can also check "loose" rpf with the value 2. In case the packet should normally be routed by an other interface, that
would be better than no validation.

[Link]/export?question=816393&service=serverfault 1/2
3/20/2019 Disabling rp_filter on one interface
(1) Thank you, that explains it very well! Special thanks for the "loose" rpf suggestion, which is indeed the better choice for my
setup. Also makes it unnecessary to set all/rp_filter to 0, which is most welcome. - Cybran
1

[Link]/export?question=816393&service=serverfault 2/2

You might also like