diff options
author | Stephen Hemminger <shemminger@vyatta.com> | 2009-02-20 08:25:36 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-02-22 19:54:45 -0800 |
commit | c1cf8422f0512c2b14f0d66bce34abb0645c888a (patch) | |
tree | b00499a8eb15d6613cfbce6d2770638b98cb2aae /Documentation | |
parent | 6dac62d3888a34f5bccbe14222ba77e8877a2e54 (diff) | |
download | linux-c1cf8422f0512c2b14f0d66bce34abb0645c888a.tar.bz2 |
ip: add loose reverse path filtering
Extend existing reverse path filter option to allow strict or loose
filtering. (See http://en.wikipedia.org/wiki/Reverse_path_filtering).
For compatibility with existing usage, the value 1 is chosen for strict mode
and 2 for loose mode.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/networking/ip-sysctl.txt | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ff3f219ee4d7..71041c21af9b 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -699,16 +699,22 @@ accept_source_route - BOOLEAN default TRUE (router) FALSE (host) -rp_filter - BOOLEAN - 1 - do source validation by reversed path, as specified in RFC1812 - Recommended option for single homed hosts and stub network - routers. Could cause troubles for complicated (not loop free) - networks running a slow unreliable protocol (sort of RIP), - or using static routes. - +rp_filter - INTEGER 0 - No source validation. - - conf/all/rp_filter must also be set to TRUE to do source validation + 1 - Strict mode as defined in RFC3704 Strict Reverse Path + Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. + By default failed packets are discarded. + 2 - Loose mode as defined in RFC3704 Loose Reverse Path + Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface + the packet check will fail. + + Current recommended practice in RFC3704 is to enable strict mode + to prevent IP spoofin from DDos attacks. If using asymmetric routing + or other complicated routing,t hen loose mode is recommended. + + conf/all/rp_filter must also be set to non-zero to do source validation on the interface Default value is 0. Note that some distributions enable it |