Hello all, My question: - - - - - - - Does anybody know when the reverse path filtering occurs as the packet traverses the kernel? Does it happen before NF_IP_PRE_ROUTING (PREROUTING) or not? Does it only happen at route selection time? What I have tried to do to find the answer: - - - - - - - - - - - - - - - - - - - - - - I find a posting (from many years ago) [0], which suggests that this happens in fib_validate_source() (in fib_frontend.c) which is only called by route.c. I tried following the diagram by Mathieu Lafon to see if fib_validate_source() is called in ip_rcv() (in ip_input.c), but I don't read C very well, so I could well be missing where the rp_filter validation is occurring. If I understand the path correctly, the functions are traversed in this order (from most deeply nested first): fib_validate_source() ip_route_input_slow() ip_route_input() ip_rcv_finish() ip_rcv() It seems that ip_rcv() (in ip_input.c) calls the following, and I simply do not understand what this means: return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, ip_rcv_finish); I'm guessing that NF_IP_PRE_ROUTING (the PREROUTING hooks) are called before ip_rcv_finish is called, which means that the rp_filter action doesn't occur until after the PREROUTING hooks. Is this accurate? Can anybody shed some light? Is my interpretation accurate? Thank you very much, -Martin [0] http://www.ussg.iu.edu/hypermail/linux/kernel/0002.1/1522.html [1] http://open-source.arkoon.net/kernel/kernel_net.png -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/