|
Packit Service |
d1fe03 |
Performs a reverse path filter test on a packet.
|
|
Packit Service |
d1fe03 |
If a reply to the packet would be sent via the same interface
|
|
Packit Service |
d1fe03 |
that the packet arrived on, the packet will match.
|
|
Packit Service |
d1fe03 |
Note that, unlike the in-kernel rp_filter, packets protected
|
|
Packit Service |
d1fe03 |
by IPSec are not treated specially. Combine this match with
|
|
Packit Service |
d1fe03 |
the policy match if you want this.
|
|
Packit Service |
d1fe03 |
Also, packets arriving via the loopback interface are always permitted.
|
|
Packit Service |
d1fe03 |
This match can only be used in the PREROUTING chain of the raw or mangle table.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-loose\fP
|
|
Packit Service |
d1fe03 |
Used to specify that the reverse path filter test should match
|
|
Packit Service |
d1fe03 |
even if the selected output device is not the expected one.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-validmark\fP
|
|
Packit Service |
d1fe03 |
Also use the packets' nfmark value when performing the reverse path route lookup.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-accept\-local\fP
|
|
Packit Service |
d1fe03 |
This will permit packets arriving from the network with a source address that is also
|
|
Packit Service |
d1fe03 |
assigned to the local machine.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-invert\fP
|
|
Packit Service |
d1fe03 |
This will invert the sense of the match. Instead of matching packets that passed the
|
|
Packit Service |
d1fe03 |
reverse path filter test, match those that have failed it.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Example to log and drop packets failing the reverse path filter test:
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
iptables \-t raw \-N RPFILTER
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop"
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
iptables \-t raw \-A RPFILTER \-j DROP
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
iptables \-t raw \-A PREROUTING \-j RPFILTER
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
Example to drop failed packets, without logging:
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP
|