Spoof protection with redundant routes

Spoof protection with redundant routes

[Claus Fischer]

I have a box with two redundant CIPE tunnels to a
remote network 10.36.x.x.


Routing table:

Destination  Gateway      Genmask           ...      Iface
...	     		  		    
10.36.1.12   0.0.0.0      255.255.255.255   UH 0 0 0 cipcb3
10.36.1.11   0.0.0.0      255.255.255.255   UH 0 0 0 cipcb1
10.36.0.0    10.36.1.12   255.255.0.0       UG 0 0 0 cipcb3
10.36.0.0    10.36.1.11   255.255.0.0       UG 0 0 0 cipcb1
...


Now when a packet comes in from 10.36.2.2 on cipcb1, the
spoof protection kills it, since the outgoing packet would
take the route via cipcb3 which is first. I didn't quite
expect that initially.

- Is that known and by design?
- Is that the desired behaviour?
- Is there some possibility to change that?
- Do I have a choice other than to turn off rp_filter?

Claus

-- 
Claus Fischer <claus.fischer@clausfischer.com>
http://www.clausfischer.com/

Re: Spoof protection with redundant routes

[Andi Kleen]

Claus Fischer <claus.fischer@clausfischer.com> writes:

> - Is that known and by design?

Yes.

> - Is that the desired behaviour?

Yes.

> - Is there some possibility to change that?

You could define a multipath route with multiple nexthops (needs iproute2)

-Andi