search

xdp-project / BNG-router

BNG - Linux router project
GNU General Public License v2.0
21 stars 8 forks source link

Reverse path filtering must be globally disabled #14

Open yoelcaspersen opened 2 years ago

yoelcaspersen commented 2 years ago

To receive and forward a DHCP packet arriving on an unnumbered VLAN interface, reverse path filtering (RPF) must be globally disabled:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

Disabling RPF on individual interfaces doesn't work - the packet is dropped and shows up in the martian log.

If an IPv4 address is added on the VLAN interface, disabling RPF on that single VLAN interface works, and the packet is forwarded - but that doesn't help us, as VLAN interfaces must be unnumbered if we want multiple customers to share the same IPv4 subnet and default gateway address (which is necessary to save IPv4 space).

Disabling RPF globally doesn't seem right - please let me know if you have any better ideas.

tohojo commented 2 years ago

Yoel Caspersen @.***> writes:

To receive and forward a DHCP packet arriving on an unnumbered VLAN interface, reverse path filtering (RPF) must be globally disabled:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

Disabling RPF on individual interfaces doesn't work - the packet is dropped and shows up in the martian log.

That's because the maximum value from the global and the per-interface value is used...

If an IPv4 address is added on the VLAN interface, disabling RPF on that single VLAN interface works, and the packet is forwarded - but that doesn't help us, as VLAN interfaces must be unnumbered if we want multiple customers to share the same IPv4 subnet and default gateway address (which is necessary to save IPv4 space).

Disabling RPF globally doesn't seem right - please let me know if you have any better ideas.

Isn't it enough to just set it to '2'? That way packets should be allowed if there is any valid route to the source, so having a covering prefix configured on some interface should be enough?