---
Documentation/networking/ip-sysctl.rst | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Documentation/networking/ip-sysctl.rst
b/Documentation/networking/ip-sysctl.rst
index c2ecc98..0ab017b 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -1443,6 +1443,13 @@ rp_filter - INTEGER
and if the source address is not reachable via any interface
the packet check will fail.
+ rp_filter will examine the source address of an incoming IP
+ packet by performing an FIB lookup. In loose mode (value 2),
+ the packet is rejected if the source address is neither
+ UNICAST nor LOCAL(when interface allows) nor IPSEC. For
+ strict mode (value 1) the interface indicated by the FIB table
+ entry must also match the interface on which the packet arrived.
+
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
--
1.8.3.1
