| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b143fc72-afda-1570-7ac1-1e90461a9859@satchell.net> Date: Thu, 10 Jun 2021 08:45:37 -0700 From: Stephen Satchell <list@...chell.net> To: linux-doc@...r.kernel.org, netdev@...r.kernel.org Subject: [PATCH docs-next] sysctl -- rp_format completed description with filter criteria --- Documentation/networking/ip-sysctl.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst index c2ecc98..0ab017b 100644 --- a/Documentation/networking/ip-sysctl.rst +++ b/Documentation/networking/ip-sysctl.rst @@ -1443,6 +1443,13 @@ rp_filter - INTEGER and if the source address is not reachable via any interface the packet check will fail. + rp_filter will examine the source address of an incoming IP + packet by performing an FIB lookup. In loose mode (value 2), + the packet is rejected if the source address is neither + UNICAST nor LOCAL(when interface allows) nor IPSEC. For + strict mode (value 1) the interface indicated by the FIB table + entry must also match the interface on which the packet arrived. + Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended. -- 1.8.3.1
Powered by blists - more mailing lists