Hi,
Rather than disable rp_filter (by setting to 0 on all interfaces I presume),
what about setting it to 2 for Loose mode instead, and only on the affected
interfaces, so only those interfaces change behaviour?
Loose mode would allow the packet as long as there is a valid route on any
interface, instead of the specific interface it comes in. So as long as a
default route exists anywhere, the packet should pass.
Potentially this opens up the interface to spoofed traffic, as it would now
allow traffic with source IP belonging to subnets on your private interfaces,
because obviously you would have routes to those too. But that can be solved
easily with iptables rules. Generally I block all packets with source in all
private IP ranges on Internet-facing interfaces, with exceptions if necessary
e.g. for external DMZ etc. (I do similar for outbound too, no need to pollute
Internet with traffic destined to private IP space, though it might not as
simple if you are behind CG-NAT...)
If it works, you would need to look into sysctl config for your specific
system to make it persistent across reboot.
Regards,
Ali
On 05/02/2021 16:42, Marco Gaiarin wrote:
Why the interface need to be in 'default route'? Thanks.
As sugested by a private reply, i've disabled 'rp_filter' and packet
flow correctly.
AFAI've understood, packet get routed correctly to the intended
interface, but when reply come back the reverse path filter interpret
it as 'impossible' (because there's no a forward route, and this is
true indeed), and filter it away.
There's some 'smarter' way, or fine-grained way, or i have to disable
rp_filter as the only option?
Thanks.
