Re: [patch] fix statd -n

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 21 Apr 2008 09:39:40 -0400
"J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote:

> On Mon, Apr 21, 2008 at 07:01:07AM -0400, Jeff Layton wrote:
> > On Sun, 20 Apr 2008 22:11:53 -0400
> > "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote:
> > 
> > > On Sun, Apr 20, 2008 at 08:49:52PM -0400, Janne Karhunen wrote:
> > > > Yes, but loopback can also be spoofed.
> > > 
> > > Is that true?  I thought the kernel discarded packets from interfaces
> > > other than lo claiming to be from 127.*.*.*.
> > > 
> > 
> > I think that's the case only if you have rp_filter turned on. It
> > usually is these days, but there are some situations where it doesn't
> > do what's expected (vlans, for instance), and has to be disabled.
> 
> Well, if you believe Documentation/filesystems/proc.txt on rp_filter:
> 
> 	"Integer value determines if a source validation should be made.
> 	1 means yes, 0 means no.  Disabled by default, but
> 	local/broadcast address spoofing is always on."
> 
> But I haven't tested this or looked at the code.
> 
> --b.

I think that's basically correct, but most modern distros turn it on by
default. From the default /etc/sysctl.conf on my fedora box:

net.ipv4.conf.default.rp_filter = 1

...it's generally a good thing to enable, but there are places where it
needs to be disabled. For instance, my Linksys WRT54g is doing firewall
duties and has it disabled because the switch ports on it are segmented
with VLANs and rp_filter interferes with that.

-- 
Jeff Layton <jlayton@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux