Bug 5015 - rp_filter documentation error in Kconfig
Summary: rp_filter documentation error in Kconfig
Status: CLOSED CODE_FIX
Alias: None
Product: Networking
Classification: Unclassified
Component: IPV4 (show other bugs)
Hardware: i386 Linux
: P2 low
Assignee: Arnaldo Carvalho de Melo
URL:
Keywords:
: 5016 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-08-07 11:24 UTC by Adrian Buciuman
Modified: 2007-05-17 15:17 UTC (History)
0 users

See Also:
Kernel Version: 2.6 2.4
Subsystem:
Regression: ---
Bisected commit-id:


Attachments

Description Adrian Buciuman 2005-08-07 11:24:27 UTC
rp_filter is off by _kernel_ default.
(Some distibutions turn it on in startup scripts).

The folowing text from net/ipv4/Kconfig is confusing.(It seems one distribution 
maintainer thinks rp_filter is on by kernel default)

"config IP_ADVANCED_ROUTER
[..........]
If you turn on IP forwarding, you will also get the rp_filter, which
automatically rejects incoming packets if the routing table entry
for their source address doesn't match the network interface they're
arriving on. This has security advantages because it prevents the
so-called IP spoofing, however it can pose problems if you use
asymmetric routing (packets from you to a host take a different path
than packets from that host to you) or if you operate a non-routing
host which has several IP addresses on different interfaces. To turn
rp_filter off use:

echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
or
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter"

In 2.4 the error is in Documentation/Configure/help. Please fix this too.

Thanks.
Comment 1 Adrian Bunk 2005-08-07 12:45:29 UTC
*** Bug 5016 has been marked as a duplicate of this bug. ***
Comment 2 Adrian Buciuman 2006-09-25 12:03:47 UTC
Can somebody who is familiar with networking in the kernel comment on this?

Should I prepare a patch that remove that paragraph?

Comment 3 Dave Jones 2007-05-17 15:01:31 UTC
patch posted to netdev@vger.kernel.org
Comment 4 Dave Jones 2007-05-17 15:17:22 UTC
accepted into davem's netdev tree.

Note You need to log in before you can comment on or make changes to this bug.