Jozsef Kadlecsik wrote:
On Thu, 3 Jul 2008, Jan Engelhardt wrote:
TODO: add IPv6 support to kernel side
Examples:
Egress filtering:
iptables -A FORWARD -m route ! --route-src-exists -j DROP
That's what rp_filter is for.
Ingress filtering:
iptables -A FORWARD -i $EXTERNAL_IF -m route --route-src-exists -j DROP
rp_filter again.
Quick and not good examples, I'd say. The main problem with rp_filter is
that it drops the packets >silently<. The real benefit of such a match is
the possibility to log (and drop) faked packets. If the patch had IPv6
support, one could add that additionally (as far as I know) there's no
rp_filter for IPv6 at all.
I agree. While I find rp_filter highly annoying (Debian has it enabled
by default), this patch at least allows you to notice whats going on
easily. I'm also sure there are people who would like to use rp_filter
like functionality for IPv6.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
