From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: Scott Shambarger <scott-netfilter@shambarger.net>
Cc: netfilter@vger.kernel.org
Subject: Re: Returning nat packets vanishing after mangle:PREROUTING and conntrack processing
Date: Sat, 19 Dec 2009 19:39:51 +0100 [thread overview]
Message-ID: <4B2D1DF7.1060105@plouf.fr.eu.org> (raw)
In-Reply-To: <40efba0ec31032f27b200a4da7b17ae9@localhost>
Scott Shambarger a écrit :
>
> Fantastic, works great. Changed to 'net.ipv4.conf.default.rp_filter = 0'
> in sysctl.conf (was set to 1).
>
> Oddly, I had rp_filter enabled on the system in kernel 2.6.30 and it
> worked. Has rp_filter changed somehow in the newer kernel (or is it now
> working 'correctly'?).
(Searching in kernel changelogs...)
Yes, rp_filter slighly changed in kernel 2.6.31 (commit
27fed4175acf81ddd91d9a4ee2fd298981f60295). IIUC it is the way that
net.ipv4.conf.<interface>.rp_filter and net.ipv4.conf.all.rp_filter are
combined together that changed from a logical AND to an arithmetic MAX.
This was a fix for a previous patch in kernel 2.6.30 (commit
c1cf8422f0512c2b14f0d66bce34abb0645c888a) which added support for
reverse path filtering "loose mode" (actually a route presence check),
changing rp_filter type from boolean to integer and assigning the value
2 to the new loose mode (see Documentation/networking/ip-sysctl.txt for
details).
Before kernel 2.6.31 :
Actual rp_filter for <interface> = net.ipv4.conf.<interface>.rp_filter
AND net.ipv4.conf.all.rp_filter
I.e. reverse path filtering is enabled in strict mode if rp_filter=1 for
both "all" and the interface.
Since kernel 2.6.31 :
Actual rp_filter for <interface> =
MAX(net.ipv4.conf.<interface>.rp_filter, net.ipv4.conf.all.rp_filter)
I.e. reverse path filtering is enabled in strict mode if rp_filter=1 for
either "all" or the interface.
If by "I had rp_filter enabled" you mean that only
net.ipv4.conf.default.rp_filter was set to 1 and
net.ipv4.conf.all.rp_filter was left to 0 (default), then with the
kernel 2.6.30 the resulting AND was 0, so the reverse path filtering was
disabled. But with the kernel 2.6.31 the resulting MAX is 1, so strict
reverse path filtering is enabled.
Notes :
1) "Loose" reverse path filtering may be a bit better than no reverse
path filtering and should work with your setup.
2) Reverse path filtering in kernel 2.6.32 uses the mark as in policy
routing, so strict reverse path filtering may work better in multihomed
setups like yours.
next prev parent reply other threads:[~2009-12-19 18:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-18 18:23 Returning nat packets vanishing after mangle:PREROUTING and conntrack processing Scott Shambarger
2009-12-19 13:12 ` Pascal Hambourg
2009-12-19 14:37 ` Scott Shambarger
2009-12-19 18:39 ` Pascal Hambourg [this message]
2009-12-20 20:43 ` Scott Shambarger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B2D1DF7.1060105@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
--cc=scott-netfilter@shambarger.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).