Revers Path Filtering (rp_filter) is a verification feature that checks the source address of the recieved packet is routable or not in the same interface or vlan.That is a kind of security thing. There are three diffrent options for this feature respectively 0,1 and 2. Moreover it is enabled by default.
Here is the detail info for three different options:
0 No source address validation is performed and any packet is forwarded to the destination network
1 Strict Mode as defined in RFC 3074. Each incoming packet to a router is tested against the routing table and if the interface that the packet is received on is not the best return path for the packet then the packet is dropped.
2 Loose mode as defines in RFC 3074 Loose Reverse Path. Each incoming packet is tested against the route table and the packet is dropped if the source address is not routable through any interface. The allows for asymmetric routing where the return path may not be the same as the source path
You might check your current config for this feature by executing "sysctl -ar 'rp_filter'" and it would give this output:
$ sysctl -ar 'rp_filter'
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
If the feature is enabled (1) please changed it to avoid dropping packets that you recieved from one of your vlan or interface. Because my infastructure was in a MPLS i did not care about verification and set it as "0" in the /etc/sysctl.conf to make it effected for each started. In order to make changes effected on the system use "sysctl -p" after you are done with configuration.
#stayathome !
Great post!
ReplyDelete