From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
davem@davemloft.net
Subject: Re: [PATCH RFC v2 0/5] netfilter reverse path filter matches
Date: Wed, 28 Sep 2011 23:18:47 +0200 [thread overview]
Message-ID: <20110928211847.GC2761@1984> (raw)
In-Reply-To: <1315856552-1422-1-git-send-email-fw@strlen.de>
On Mon, Sep 12, 2011 at 09:42:27PM +0200, Florian Westphal wrote:
> Version 2 of the ipv4/v6 reverse path filter matches discussed during
> nfws 2011.
>
> The ipv4 match (ipt_rpfilter) tries to do exactly what the current
> fib_validate_source does. The main problem with this is that
> we need to do an additional fib lookup to get the oif in the match.
> [ delaying until FORWARD is invoked is not possible because by
> that point the stack might have already sent icmp errors ].
>
> Patrick McHardy suggested to simply attach the result as the dst, so
> ipv4 input path doesn't have to do it again.
>
> This works, but does have a few side effects wrt. route-by-mark and
> TPROXY, see patch changelog for details.
>
> The ipv6 version does a pure 'reverse' lookup instead. This makes
> things a lot easier (e.g. when multiple route entries exist), but has
> the caveat that a real reply packet might be handled differently due to
> policy routing rules.
>
> Userspace part is stored in my iptables repository on
> http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/iptables.git (branch 'rpfilter').
>
> Kernel patches are located in the 'xt_rpfilter_5' branch on
> http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/nf-next.git
> (patches will be sent as followup to this email).
>
> [ in case you are wondering: the earlier xt_rpfilter version was
> removed -- causes too many module dependency issues and most of the
> code cannot be shared anyway ].
This involves other net changes, I'd like to get an ack from David
before applying this. Or let me know if it's better to follow the
netdev path.
next prev parent reply other threads:[~2011-09-28 21:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-12 19:42 [PATCH RFC v2 0/5] netfilter reverse path filter matches Florian Westphal
2011-09-12 19:42 ` [RFC PATCH 1/5] net: ipv4: export fib_table_lookup Florian Westphal
2011-09-12 19:42 ` [RFC PATCH 2/5] net: ipv4: move ip_rcv route error counter handling into helper function Florian Westphal
2011-09-12 19:42 ` [RFC PATCH 3/5] netfilter: add ipv4 reverse path filter match Florian Westphal
2011-09-12 19:42 ` [RFC PATCH 4/5] ipv6: add ip6_route_lookup Florian Westphal
2011-09-12 19:42 ` [RFC PATCH 5/5] netfilter: add ipv6 reverse path filter match Florian Westphal
2011-09-28 21:18 ` Pablo Neira Ayuso [this message]
2011-09-28 21:23 ` [PATCH RFC v2 0/5] netfilter reverse path filter matches Florian Westphal
2011-09-28 22:39 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110928211847.GC2761@1984 \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).