BCP38 on public-facing Ubuntu servers
Jean St-Laurent
jean at ddostest.me
Wed Jun 9 11:39:46 UTC 2021
Bingo!
With the -t raw, you can bypass the 1.2 Mpps limitation in iptables per cpusocket, because it's doing a very early drop without crossing the full iptables kernel modules.
You can reach close to wrirespeed with the -t raw compare to using the same iptables without -t raw.
Jean
-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Fran via NANOG
Sent: June 8, 2021 5:39 PM
To: nanog at nanog.org
Subject: Re: BCP38 on public-facing Ubuntu servers
Hey,
to my knowledge there is no IPv6 equivalent for net.ipv4.conf.all.rp_filter.
Therefore I use netfilter to do the RP filtering for both address families.
ip(6)tables -t raw -I PREROUTING -m rpfilter --invert -j DROP
Using the raw tables less resources are used, but you could also choose other tables.
Details abour rpfilter can be found here [1].
This can also be achieved using nftables [2].
Best
Fran
[1] https://ipset.netfilter.org/iptables-extensions.man.html#lbBX
[2] https://wiki.nftables.org/wiki-nftables/index.php/Matching_routing_information
On 04.06.21 20:43, Jay Vosburgh wrote:
> Grant Taylor via NANOG <nanog at nanog.org> wrote:
>
>> On 6/3/21 8:44 AM, William Herrin wrote:
>>> rp_filter is great until your network is slightly less than a
>>> perfect hierarchy. Then your Linux "router" starts mysteriously
>>> dropping packets and, as with allow_local, Linux doesn't have any
>>> way to generate logs about it so you end up with these mysteriously
>>> unexplained packet discards matching no conceivable rule in
>>> iptables... This failure has too often been the bane of my existence
>>> when using Linux for advanced networking.
>>
>> I don't remember the particulars, but I thought that was the domain
>> of log_martians (net.ipv4.conf.*.log_martians).
>>
>> Without log_martians or explicitly looking for such, no, you won't
>> get any indication of such drops.
>
> Yes, enabling the log_martians sysctl will generate a kernel log
> message for each rp_filter failure (subject to rate limiting). There
> are also stat counters in /proc/net/stat/rt_cache (one line per CPU)
> for in_martian_dst and in_martian_src which increment regardless of
> the log_martians setting.
>
> The rp_filter sysctl defaults to strict mode (== 1) on Ubuntu, but
> can be set to loose mode (== 2); the difference is, essentially, in
> strict mode the reverse path must be the same interface as the ingress
> interface, whereas in loose mode the reverse path can be any interface
> (as long as the source address is reachable).
>
> https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst
>
> -J
>
> ---
> -Jay Vosburgh, jay.vosburgh at canonical.com
>
More information about the NANOG
mailing list