In kernel 2.6.31, the handling of the rp_filter interface option was changed incompatibly. Previously, the effective value was determined by the setting of net.ipv4.config.dev.proxy_arp logically ANDed with the setting of net.ipv4.config.all.proxy_arp. Beginning with kernel 2.6.31, the value is the arithmetic MAX of those two values. Additionally, a ''loose'' routefiltering facility is now enabled by setting the effective value of proxy_arp to 2. Given that Shorewall sets net.ipv4.config.all.proxy_arp to 1 if there are any interfaces specifying ''routefilter'', specifying ''routefilter'' on any interface has the effect of setting the option on all interfaces. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Tom Eastep wrote:> In kernel 2.6.31, the handling of the rp_filter interface option was > changed incompatibly. Previously, the effective value was determined > by the setting of net.ipv4.config.dev.proxy_arp logically ANDed with > the setting of net.ipv4.config.all.proxy_arp. > > Beginning with kernel 2.6.31, the value is the arithmetic MAX of > those two values. Additionally, a ''loose'' routefiltering facility is now > enabled by setting the effective value of proxy_arp to 2. > > Given that Shorewall sets net.ipv4.config.all.proxy_arp to 1 if > there are any interfaces specifying ''routefilter'', specifying > ''routefilter'' on any interface has the effect of setting the option > on all interfaces.All above is about rp_filter option, not about proxy_arp, or I don''t understand. :) Best regards Andrzej Odyniec ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sun, 20 Dec 2009 02:49:53 +0100 Andrzej Odyniec <anody@macrologic.pl> wrote:> Tom Eastep wrote: > > In kernel 2.6.31, the handling of the rp_filter interface option was > > changed incompatibly. Previously, the effective value was determined > > by the setting of net.ipv4.config.dev.proxy_arp logically ANDed with > > the setting of net.ipv4.config.all.proxy_arp. > > > > Beginning with kernel 2.6.31, the value is the arithmetic MAX of > > those two values. Additionally, a ''loose'' routefiltering facility > > is now enabled by setting the effective value of proxy_arp to 2. > > > > Given that Shorewall sets net.ipv4.config.all.proxy_arp to 1 if > > there are any interfaces specifying ''routefilter'', specifying > > ''routefilter'' on any interface has the effect of setting the option > > on all interfaces.That should have been: Given that Shorewall sets net.ipv4.config.all.rp_filter to 1... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev