thr3ads.net - LARTC - rp filter questions [May 2002]

If this information is useful, please help other people find it:
Share via:

Don Cohen

2002-May-03 17:31 UTC

rp filter questions

> 	The rp_filter is also explained here: > http://lartc.org/HOWTO//cvs/2.4routing/html/c1182.html#AEN1188
above says:
  for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 1 > $i 
  done

First question:
 ls /proc/sys/net/ipv4/conf/*/rp_filter
 =>
 /proc/sys/net/ipv4/conf/all/rp_filter
 /proc/sys/net/ipv4/conf/default/rp_filter
 /proc/sys/net/ipv4/conf/eth0/rp_filter
 /proc/sys/net/ipv4/conf/eth1/rp_filter
 /proc/sys/net/ipv4/conf/eth2/rp_filter
 /proc/sys/net/ipv4/conf/lo/rp_filter

What do all and default do?
Could the look above be replaced by just one?

Second question:
How does the runtime cost of rp_filter compare with that of rules like
iptables -A FORWARD -i eth1 -s ! 10.0.0.0/8 -j DROP

I assume in one case you have to do a route lookup, in the other you
have to iterate over the appropriate rules.  What are these costs?
Ideally the answers should be in terms of variables we know, such as 
the number of rules, the number of rules per interface, the number of
routes, etc.

Oskar Andreasson

2002-May-06 07:43 UTC

head link

Re: rp filter questions

Hi Don,

First off, some parts of this mail is a little bit off topic for this mailing
list. iptables should be brought up at netfilter@lists.samba.org. Anyways, I
haven''t seen any answer to your questions on the list so far, so
I''ll do my best at answering them.

----- Original Message ----- 
From: "Don Cohen" <don-lartc@isis.cs3-inc.com>
To: <lartc@mailman.ds9a.nl>
Sent: Friday, May 03, 2002 7:31 PM
Subject: [LARTC] rp filter questions

> > The rp_filter is also explained here:
>  > http://lartc.org/HOWTO//cvs/2.4routing/html/c1182.html#AEN1188
> above says:
>   for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
>   echo 1 > $i 
>   done
> 
> First question:
>  ls /proc/sys/net/ipv4/conf/*/rp_filter
>  =>
>  /proc/sys/net/ipv4/conf/all/rp_filter
>  /proc/sys/net/ipv4/conf/default/rp_filter
>  /proc/sys/net/ipv4/conf/eth0/rp_filter
>  /proc/sys/net/ipv4/conf/eth1/rp_filter
>  /proc/sys/net/ipv4/conf/eth2/rp_filter
>  /proc/sys/net/ipv4/conf/lo/rp_filter
> 
> What do all and default do?
From my lack of understanding, all will change the behaviour on all interfaces,
while default contains the default values at all time, disregarding of what the
others are set to. Of course, I haven''t actually checked if this is
correct, nor am I an expert in the area... In other words, do not kill me for
being wrong;). I would make a general guess that the best answer would be given
at the netdev@oss.sgi.com mailing list.
> Could the look above be replaced by just one?
> 
> Second question:
> How does the runtime cost of rp_filter compare with that of rules like
> iptables -A FORWARD -i eth1 -s ! 10.0.0.0/8 -j DROP
> 
I would make a small guess that it will mean less overhead with rp_filter since
it is working inside the ipv4 core while netfilter is layered on top of the ipv4
core and requires a little bit more calls inside the kernel. Again, I may very
possibly be wrong. The best answer would probably be given at the
netfilter-devel@lists.samba.org or netfilter@lists.samba.org.
> I assume in one case you have to do a route lookup, in the other you
> have to iterate over the appropriate rules.  What are these costs?
> Ideally the answers should be in terms of variables we know, such as 
> the number of rules, the number of rules per interface, the number of
> routes, etc.
> 
Again, I believe this is slightly off topic, but I may be wrong. Your best bet
are the above mentioned mailing lists.

Have a nice day,

Oskar Andreasson
http://www.boingworld.com
http://people.unix-fu.org/andreasson/
mailto: blueflux@koffein.net
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

LARTC - May 2002 - rp filter questions

rp filter questions

Re: rp filter questions