First of all, I have to say a big THANKS to all of you, your LARTC
document really sheds some light in a soo dark place as, especially,
Linux TC is.
I found a small error, or typo, in LARTC, on page 85, chapter 13.1.
There is stated that "echo 2 > $i" would turn on RP filtering on
actual
interface, but there should be, instead, "echo 1 > $i". Also, in
Documentation/networking/ip-sysctl.txt there are only two options
for rp_filter - 0 (RPF off) or 1 (RPF on).
Also, on page 86, there is a FIXME about conf/{default,all}/* . I tried
that, and it''s out that setting only conf/all/rp_filter is enough for
all already configured interfaces, and conf/default/rp_filter is intended
to be used for interfaces that are just going to be configured, or better
saying, link up''ed - for example ppp+ interfaces.
I already pointed this out, and you accepted this note, but in a recent
version of LARTC I can see that the old version remained in the document.
Hope this would help, and keep up the good work !
--
.----------------------------------------------------------------------------.
| Pozdrav / Best Wishes, dsimic@urc.bl.ac.yu | LL The Choice of |
| Dragan Simic RS.BA Hostmaster | LL GNU |
| URC B.Luka / RSKoming.NET System/Network Admin | LLLL i n u x Generation |
`----------------------------------------------------------------------------''
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I had 2.4.x in mind when I wrote this about rp_filter values. In any case, in the LARTC should be cleared out what applies to 2.2 branch, and what to 2.4 branch. It''s true, in 2.2.23, there are three options (0,1,2); and there are two options (0,1) in 2.4.20. On Thu, 16 Jan 2003, Michael T. Babcock wrote:> Dragan Simic wrote: > > >interface, but there should be, instead, "echo 1 > $i". Also, in > >Documentation/networking/ip-sysctl.txt there are only two options > >for rp_filter - 0 (RPF off) or 1 (RPF on). > > At various points in history there have been values of 0, 1 and 2 > available to mean different things. In my 2.2.14 source I have laying > around, I see: > > rp_filter - INTEGER > 2 - do source validation by reversed path, as specified in RFC1812 > ... > 1 - (DEFAULT) Weaker form of RP filtering: drop all the packets > ... > 0 - No source validation.-- .----------------------------------------------------------------------------. | Pozdrav / Best Wishes, dsimic@urc.bl.ac.yu | LL The Choice of | | Dragan Simic RS.BA Hostmaster | LL GNU | | URC B.Luka / RSKoming.NET System/Network Admin | LLLL i n u x Generation | `----------------------------------------------------------------------------'' _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello, On Thu, 16 Jan 2003, Dragan Simic wrote:> I had 2.4.x in mind when I wrote this about rp_filter values. In any case, > in the LARTC should be cleared out what applies to 2.2 branch, and what to > 2.4 branch. It''s true, in 2.2.23, there are three options (0,1,2); and > there are two options (0,1) in 2.4.20.This is wrong, all kernels (2.2, 2.4, 2.5) treat 2 as 1, i.e. only 1 and 0 are enough to distinguish the two possible states: enable/disable source address validation. As for all/rp_filter, it is only a flag that says "0 disables the spoofing check for all interfaces". include/linux/inetdevice.h is a good source for information about whether 0 or 1 as value for all/XXX changes globally the feature for all interfaces. For rp_filter it is 0, for send_redirects it is 1. Regards -- Julian Anastasov <ja@ssi.bg> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/