0. 参考文档

[Linux 网络相关文档] (https://www.kernel.org/doc/Documentation/networking/)
[Linux 网络相关配置] (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)

1. rp_filter

内核的 rp_filter 参数用于控制系统是否开启对数据包源地址的校验，Linux 内核文档中的描述：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


rp_filter - INTEGER
	0 - No source validation.
	1 - Strict mode as defined in RFC3704 Strict Reverse Path
	    Each incoming packet is tested against the FIB and if the interface
	    is not the best reverse path the packet check will fail.
	    By default failed packets are discarded.
	2 - Loose mode as defined in RFC3704 Loose Reverse Path
	    Each incoming packet's source address is also tested against the FIB
	    and if the source address is not reachable via any interface
	    the packet check will fail.

	Current recommended practice in RFC3704 is to enable strict mode
	to prevent IP spoofing from DDos attacks. If using asymmetric routing
	or other complicated routing, then loose mode is recommended.

	The max value from conf/{all,interface}/rp_filter is used
	when doing source validation on the {interface}.

	Default value is 0. Note that some distributions enable it
	in startup scripts.

linux 默认情况下，对回复的 packet 进行严格反向路径校验，要求其反向路径是否是最佳路径。如果反向路径不是最佳路径，则直接丢弃该数据包。

接收包和回复包的网卡必须是同一张网卡，否则数据包会直接被丢弃。

/proc/sys/net/ipv4/conf/{all,interface}/rp_filter 可以配置全局或者具体网卡的 rp_filter 参数，当全局参数和具体网卡参数不同时，取其中较大的值生效。

当创建新的网络设备时，其 rp_filter 等于 /proc/sys/net/ipv4/conf/default/rp_filter 设置的值。

禁用 rp_filter

1
2
3
4


# Controls source route verification
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.{interface}.rp_filter = 0

Linux：rp_filter参数

文章目录

0. 参考文档

1. rp_filter