Re: nft -- documentation on fib_addrtype missing

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: nft -- documentation on fib_addrtype missing
Date: Fri, 11 Oct 2019 14:15:53 +1100	[thread overview]
Message-ID: <87r23kx992.fsf@goll.lan> (raw)
In-Reply-To: 37a942dc-dff2-d087-3455-78565e290050@satchell.net

Stephen Satchell <list@satchell.net> writes:

> My follow-on project is to describe how to implement the
> recommendations in BCP-38 using IP-ROUTE and NFTABLES.

I can't comment on your fib issue.
However, BCP 38 (RFC 2827):

  Network Ingress Filtering: Defeating Denial of Service Attacks which
  employ IP Source Address Spoofing

For which see rp_filter in sysctl:

    http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html

This works great if you have symmetric routes.
If you have triangular routes, it will do the Wrong Thing.

It also (mostly) isn't useful on servers, where all traffic arrives on a
single interface.

I've also had blackhole routes since forever, assuming (but never
actually checking) that they help rp_filter to do its job.

    iface lo inet loopback
      # Until I think of a better place, add blackhole routes when the
      # loopback interface comes up.  These ensure (unused) private IP
      # ranges aren't accidentally sent to the internet.  Note that even
      # without this, Internode filters outbound packets to private IPs.
      #
      # We also do the same for our /24s, so that if a subnet of them
      # ever lacks a route, packets to that subnet won't be routed to
      # the internet.
      up   ip route   add   blackhole 10/8
      up   ip route   add   blackhole 172.16/12
      up   ip route   add   blackhole 192.168/16
      up   ip route   add   blackhole 169.254/16
      up   ip route   add   blackhole 203.7.155/24
      up   ip route   add   blackhole 203.27.58/24
      down ip route   flush type blackhole

     prev parent reply	other threads:[~2019-10-11  3:15 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-10 19:41 nft -- documentation on fib_addrtype missing Stephen Satchell
2019-10-11  3:15 ` Trent W. Buck [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87r23kx992.fsf@goll.lan \
    --to=trentbuck@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox