Hello all,
My question:
- - - - - - -
Does anybody know when the reverse path filtering occurs as the packet
traverses the kernel?
Does it happen before NF_IP_PRE_ROUTING (PREROUTING) or not?
Does it only happen at route selection time?
What I have tried to do to find the answer:
- - - - - - - - - - - - - - - - - - - - - -
I find a posting (from many years ago) [0], which suggests that this
happens in fib_validate_source() (in fib_frontend.c) which is only called
by route.c.
I tried following the diagram by Mathieu Lafon [1] to see if
fib_validate_source() is called in ip_rcv() (in ip_input.c), but I don't
read C very well, so I could well be missing where the rp_filter
validation is occurring.
If I understand the path correctly, the functions are traversed in this
order (from most deeply nested first):
fib_validate_source()
ip_route_input_slow()
ip_route_input()
ip_rcv_finish()
ip_rcv()
It seems that ip_rcv() (in ip_input.c) calls the following, and I simply
do not understand what this means:
return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
ip_rcv_finish);
I'm guessing that NF_IP_PRE_ROUTING (the PREROUTING hooks) are called
before ip_rcv_finish is called, which means that the rp_filter action
doesn't occur until after the PREROUTING hooks.
Is this accurate? Can anybody shed some light? Is my interpretation
accurate?
Thank you very much,
-Martin
[0] http://www.ussg.iu.edu/hypermail/linux/kernel/0002.1/1522.html
[1] http://open-source.arkoon.net/kernel/kernel_net.png
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
