BCP38 on public-facing Ubuntu servers

• Previous message (by thread): BCP38 on public-facing Ubuntu servers
• Next message (by thread): BCP38 on public-facing Ubuntu servers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bingo! 

With the -t raw, you can bypass the 1.2 Mpps limitation in iptables per cpusocket, because it's doing a very early drop without crossing the full iptables kernel modules.

You can reach close to wrirespeed with the -t raw compare to using the same iptables without -t raw.

Jean

-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Fran via NANOG
Sent: June 8, 2021 5:39 PM
To: nanog at nanog.org
Subject: Re: BCP38 on public-facing Ubuntu servers

Hey,



to my knowledge there is no IPv6 equivalent for net.ipv4.conf.all.rp_filter.

Therefore I use netfilter to do the RP filtering for both address families.



ip(6)tables -t raw -I PREROUTING -m rpfilter --invert -j DROP



Using the raw tables less resources are used, but you could also choose other tables.
Details abour rpfilter can be found here [1].


This can also be achieved using nftables [2].


Best

Fran

[1] https://ipset.netfilter.org/iptables-extensions.man.html#lbBX
[2] https://wiki.nftables.org/wiki-nftables/index.php/Matching_routing_information



On 04.06.21 20:43, Jay Vosburgh wrote:
> Grant Taylor via NANOG <nanog at nanog.org> wrote:
> 
>> On 6/3/21 8:44 AM, William Herrin wrote:
>>> rp_filter is great until your network is slightly less than a 
>>> perfect hierarchy. Then your Linux "router" starts mysteriously 
>>> dropping packets and, as with allow_local, Linux doesn't have any 
>>> way to generate logs about it so you end up with these mysteriously 
>>> unexplained packet discards matching no conceivable rule in 
>>> iptables... This failure has too often been the bane of my existence 
>>> when using Linux for advanced networking.
>>
>> I don't remember the particulars, but I thought that was the domain 
>> of log_martians (net.ipv4.conf.*.log_martians).
>>
>> Without log_martians or explicitly looking for such, no, you won't 
>> get any indication of such drops.
> 
> 	Yes, enabling the log_martians sysctl will generate a kernel log 
> message for each rp_filter failure (subject to rate limiting).  There 
> are also stat counters in /proc/net/stat/rt_cache (one line per CPU) 
> for in_martian_dst and in_martian_src which increment regardless of 
> the log_martians setting.
> 
> 	The rp_filter sysctl defaults to strict mode (== 1) on Ubuntu, but 
> can be set to loose mode (== 2); the difference is, essentially, in 
> strict mode the reverse path must be the same interface as the ingress 
> interface, whereas in loose mode the reverse path can be any interface 
> (as long as the source address is reachable).
> 
> https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst
> 
> 	-J
> 
> ---
> 	-Jay Vosburgh, jay.vosburgh at canonical.com
> 

• Previous message (by thread): BCP38 on public-facing Ubuntu servers
• Next message (by thread): BCP38 on public-facing Ubuntu servers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]