* [PATCH docs-next] sysctl -- rp_format completed description with filter criteria
@ 2021-06-10 15:45 Stephen Satchell
0 siblings, 0 replies; only message in thread
From: Stephen Satchell @ 2021-06-10 15:45 UTC (permalink / raw)
To: linux-doc, netdev
---
Documentation/networking/ip-sysctl.rst | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Documentation/networking/ip-sysctl.rst
b/Documentation/networking/ip-sysctl.rst
index c2ecc98..0ab017b 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -1443,6 +1443,13 @@ rp_filter - INTEGER
and if the source address is not reachable via any interface
the packet check will fail.
+ rp_filter will examine the source address of an incoming IP
+ packet by performing an FIB lookup. In loose mode (value 2),
+ the packet is rejected if the source address is neither
+ UNICAST nor LOCAL(when interface allows) nor IPSEC. For
+ strict mode (value 1) the interface indicated by the FIB table
+ entry must also match the interface on which the packet arrived.
+
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
--
1.8.3.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-06-10 15:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-10 15:45 [PATCH docs-next] sysctl -- rp_format completed description with filter criteria Stephen Satchell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).