Hi Don, First off, some parts of this mail is a little bit off topic for this = mailing list. iptables should be brought up at = netfilter@lists.samba.org. Anyways, I haven't seen any answer to your = questions on the list so far, so I'll do my best at answering them. ----- Original Message -----=20 From: "Don Cohen" <don-lartc@isis.cs3-inc.com> To: <lartc@mailman.ds9a.nl> Sent: Friday, May 03, 2002 7:31 PM Subject: [LARTC] rp filter questions > > The rp_filter is also explained here: > > http://lartc.org/HOWTO//cvs/2.4routing/html/c1182.html#AEN1188 > above says: > for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do > echo 1 > $i=20 > done >=20 > First question: > ls /proc/sys/net/ipv4/conf/*/rp_filter > =3D> > /proc/sys/net/ipv4/conf/all/rp_filter > /proc/sys/net/ipv4/conf/default/rp_filter > /proc/sys/net/ipv4/conf/eth0/rp_filter > /proc/sys/net/ipv4/conf/eth1/rp_filter > /proc/sys/net/ipv4/conf/eth2/rp_filter > /proc/sys/net/ipv4/conf/lo/rp_filter >=20 > What do all and default do? >From my lack of understanding, all will change the behaviour on all = interfaces, while default contains the default values at all time, = disregarding of what the others are set to. Of course, I haven't = actually checked if this is correct, nor am I an expert in the area... = In other words, do not kill me for being wrong;). I would make a general = guess that the best answer would be given at the netdev@oss.sgi.com = mailing list. > Could the look above be replaced by just one? >=20 > Second question: > How does the runtime cost of rp_filter compare with that of rules like > iptables -A FORWARD -i eth1 -s ! 10.0.0.0/8 -j DROP >=20 I would make a small guess that it will mean less overhead with = rp_filter since it is working inside the ipv4 core while netfilter is = layered on top of the ipv4 core and requires a little bit more calls = inside the kernel. Again, I may very possibly be wrong. The best answer = would probably be given at the netfilter-devel@lists.samba.org or = netfilter@lists.samba.org.=20 > I assume in one case you have to do a route lookup, in the other you > have to iterate over the appropriate rules. What are these costs? > Ideally the answers should be in terms of variables we know, such as=20 > the number of rules, the number of rules per interface, the number of > routes, etc. >=20 Again, I believe this is slightly off topic, but I may be wrong. Your = best bet are the above mentioned mailing lists.=20 Have a nice day, Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: blueflux@koffein.net >=20 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >=20
