From: Rob Landley <landley@webofficenow.com>
To: Dan Hollis <goemon@anime.net>, David Ford <david@blue-labs.org>
Cc: <landley@webofficenow.com>, <linux-kernel@vger.kernel.org>
Subject: Re: RP_FILTER runs too late
Date: Thu, 9 Aug 2001 04:05:57 -0400 [thread overview]
Message-ID: <01080904055701.15175@localhost.localdomain> (raw)
In-Reply-To: <Pine.LNX.4.30.0108071206190.3304-100000@anime.net>
In-Reply-To: <Pine.LNX.4.30.0108071206190.3304-100000@anime.net>
On Tuesday 07 August 2001 15:07, Dan Hollis wrote:
> On Tue, 7 Aug 2001, David Ford wrote:
> > I'd rather see SNAT available in pre-routing and have rp_filter run
> > against the packet before it hits the netfilter code.
I believe the reason they put SNAT at the end is that when we're about to
send out we no longer care what the source address is, but before that we do,
and changing it early would overwrite fields the rest of the network stack is
still using. (Same reason dnat happens first thing. If we redirect it, we
want it the rest of the network stack to use the NEW destination, and among
other things send it out the right interface...)
Principle of "least amount of new code". (Laziness IS one of Larry Wall's
Seven Deadly Virtues in programmers...)
> There is one other problem with rp_filter.... rp_filter violations are
> S I L E N T. You never know when traffic is dropped because of it. Packets
> just disappear.
>
> If it generated printk's it would make it a lot easier to track down
> filtering problems.
There is a logging option, but it needs a lot of extra knobs if you ask me.
(Logging to a file would be nice. I suspect there's a way to do that but I
couldn't find it circa 2.4.3, which is the last time I gave it much thought.
Also "log if last rule triggered". Haven't been bothered enough to break
open the source other than for debugging purposes, though...)
> -Dan
Rob
prev parent reply other threads:[~2001-08-09 8:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-08-07 6:43 RP_FILTER runs too late David Ford
2001-08-07 0:52 ` Rob Landley
2001-08-07 18:06 ` David Ford
2001-08-07 19:07 ` Dan Hollis
2001-08-09 8:05 ` Rob Landley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01080904055701.15175@localhost.localdomain \
--to=landley@webofficenow.com \
--cc=david@blue-labs.org \
--cc=goemon@anime.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox