BCP38 on public-facing Ubuntu servers
Fran
fatal at mailbox.org
Tue Jun 8 21:38:59 UTC 2021
Hey,
to my knowledge there is no IPv6 equivalent for net.ipv4.conf.all.rp_filter.
Therefore I use netfilter to do the RP filtering for both address families.
ip(6)tables -t raw -I PREROUTING -m rpfilter --invert -j DROP
Using the raw tables less resources are used, but you could also choose other tables.
Details abour rpfilter can be found here [1].
This can also be achieved using nftables [2].
Best
Fran
[1] https://ipset.netfilter.org/iptables-extensions.man.html#lbBX
[2] https://wiki.nftables.org/wiki-nftables/index.php/Matching_routing_information
On 04.06.21 20:43, Jay Vosburgh wrote:
> Grant Taylor via NANOG <nanog at nanog.org> wrote:
>
>> On 6/3/21 8:44 AM, William Herrin wrote:
>>> rp_filter is great until your network is slightly less than a perfect
>>> hierarchy. Then your Linux "router" starts mysteriously dropping packets
>>> and, as with allow_local, Linux doesn't have any way to generate logs
>>> about it so you end up with these mysteriously unexplained packet
>>> discards matching no conceivable rule in iptables... This failure has
>>> too often been the bane of my existence when using Linux for advanced
>>> networking.
>>
>> I don't remember the particulars, but I thought that was the domain of
>> log_martians (net.ipv4.conf.*.log_martians).
>>
>> Without log_martians or explicitly looking for such, no, you won't get any
>> indication of such drops.
>
> Yes, enabling the log_martians sysctl will generate a kernel log
> message for each rp_filter failure (subject to rate limiting). There
> are also stat counters in /proc/net/stat/rt_cache (one line per CPU) for
> in_martian_dst and in_martian_src which increment regardless of the
> log_martians setting.
>
> The rp_filter sysctl defaults to strict mode (== 1) on Ubuntu,
> but can be set to loose mode (== 2); the difference is, essentially, in
> strict mode the reverse path must be the same interface as the ingress
> interface, whereas in loose mode the reverse path can be any interface
> (as long as the source address is reachable).
>
> https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst
>
> -J
>
> ---
> -Jay Vosburgh, jay.vosburgh at canonical.com
>
More information about the NANOG
mailing list