Linux: Reverse path forwarding headaches

The Linux kernel has a security feature called Reverse Path Forwarding which is designed to ensure that incoming packets are valid for your network. It validates that a packet arriving via a given interface has a valid IP address for that interface. In some situations a packet can arrive on one interface, and leave on a separate interface. If you have a packet like this Reverse Path Filtering kicks in and drops that packet.

This manifests in that you can see the packet arrive (via tcpdump) but nothing after that (i.e. the packet doesn't leave). The Linux IP stack drops the packet before any routing or service can act upon the packet. To log affected packets to syslog you can run:

echo 1 > /proc/sys/net/ipv4/conf/<interfacename>/log_martians

To disable this check completely you can run the following command:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i 

Valid options for rp_filter are:

0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path - Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path - Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

You can view the current settings for each interface on your box with this command:

sysctl -a | grep -E "net.ipv4.*\.rp_filter"

To make any changes permanent across a reboot set them in /etc/sysctl.conf

net.ipv4.conf.eth0.rp_filter = 0

Keywords: route, loop, egress, ingress, alien

Leave A Reply
All content licensed under the Creative Commons License