On Mon, Apr 21, 2008 at 07:01:07AM -0400, Jeff Layton wrote: > On Sun, 20 Apr 2008 22:11:53 -0400 > "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote: > > > On Sun, Apr 20, 2008 at 08:49:52PM -0400, Janne Karhunen wrote: > > > Yes, but loopback can also be spoofed. > > > > Is that true? I thought the kernel discarded packets from interfaces > > other than lo claiming to be from 127.*.*.*. > > > > I think that's the case only if you have rp_filter turned on. It > usually is these days, but there are some situations where it doesn't > do what's expected (vlans, for instance), and has to be disabled. Well, if you believe Documentation/filesystems/proc.txt on rp_filter: "Integer value determines if a source validation should be made. 1 means yes, 0 means no. Disabled by default, but local/broadcast address spoofing is always on." But I haven't tested this or looked at the code. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
