On Thursday 2008-07-03 11:50, Jozsef Kadlecsik wrote: >> >> > Ingress filtering: >> > iptables -A FORWARD -i $EXTERNAL_IF -m route --route-src-exists -j DROP >> >> rp_filter again. > >Quick and not good examples, I'd say. The main problem with rp_filter is >that it drops the packets >silently<. The real benefit of such a match is >the possibility to log (and drop) faked packets. If the patch had IPv6 >support, one could add that additionally (as far as I know) there's no >rp_filter for IPv6 at all. You know what's been bugging me... why don't we replace the entire routing infrastructure by an xtables "route" table, with something like # rp_filter iptables -t route -A ROUTING -m route ! --route-src-exists -j DROP # policy routing iptables -t route -A ROUTING -m statistic --mode nth --every 2 -j ROUTE --dev eth0 # ipsec (vaguely) iptables -t route -A OUTPUT -s 192.168.1.0/24 -d 192.168.2.0/24 -j IPSEC --mode tunnel --right-side 82.83.84.85 That would get rid of the tons of different-kind tables (xt tables, routing tables, routing rules, xfrm policy and xfrm subs) and put it into one thing people understand reasonably well. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
