Hello, Nebojsa Trpkovic a écrit : [...] > I've checked, and my source route verification is turned off for these > ifaces: > ################################################### > etc # sysctl net.ipv4.conf.default.rp_filter > net.ipv4.conf.default.rp_filter = 1 > etc # sysctl net.ipv4.conf.eth2.rp_filter > net.ipv4.conf.eth2.rp_filter = 0 > etc # sysctl net.ipv4.conf.eth3.rp_filter > net.ipv4.conf.eth3.rp_filter = 0 > ################################################### > changing that to "=1" doesn't solve the problem. [...] > any idea what could go wrong and why does my system discard packages > from eth3 if they are not routed by main ruting table? > > any info on what could be changed between kernels 2.6.29 and 2.6.32 > regarding this issue? If net.ipv4.conf.all.rp_filter=1, your issue may be related to the two following changes. ======================================================================= In 2.6.30 : commit c1cf8422f0512c2b14f0d66bce34abb0645c888a Author: Stephen Hemminger <shemminger@xxxxxxxxxx> Date: Fri Feb 20 08:25:36 2009 +0000 ip: add loose reverse path filtering Extend existing reverse path filter option to allow strict or loose filtering. (See http://en.wikipedia.org/wiki/Reverse_path_filtering). For compatibility with existing usage, the value 1 is chosen for strict mode and 2 for loose mode. ======================================================================= In 2.6.31 : commit 27fed4175acf81ddd91d9a4ee2fd298981f60295 Author: Stephen Hemminger <shemminger@xxxxxxxxxx> Date: Mon Jul 27 18:39:45 2009 -0700 ip: fix logic of reverse path filter sysctl Even though reverse path filter was changed from simple boolean to trinary control, the loose mode only works if both all and device are configured because of this logic error. ======================================================================= The first patch changed rp_filter from a boolean to an integer, and the second patch changed the way the interface-specific value and the "all" value are combined to produce a functional value from a logical AND to an arithmetic MAX. Before patches : functional value = interface AND all After patches : functional value = MAX(interface, all) So now if net.ipv4.conf.all.rp_filter=1, source validation is enabled on all interfaces as their functional value is at least 1. You may either set net.ipv4.conf.all.rp_filter to 0 (to disable it) or 2 (to enable loose mode globally), or set net.ipv4.conf.$interface.rp_filter to 2 (to enable loose mode on $interface). I guess that the patch suggested by Dave Miller is related to another (apparently incomplete) change that occured in 2.6.32 : ======================================================================= commit b0c110ca8e89f2c9cd52ec7fb1b98c5b7aa78496 Author: jamal <hadi@xxxxxxxxxx> Date: Sun Oct 18 02:12:33 2009 +0000 net: Fix RPF to work with policy routing Policy routing is not looked up by mark on reverse path filtering. This fixes it. ======================================================================= IIUC, the purpose of this change is to allow to enable reverse path filtering along with fwmark-based policy routing. I guess it works if incoming packets have the same mark as outgoing packets, but I have not tried it yet. -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
