hi.
after working on T2059 I had took a deeper look into it confused how source-validation is set . In the moment there are two different way's to configure source-validation:
- vyatta-cfg-firewall (/opt/vyatta/share/vyatta-cfg/templates/firewall/source-validation/node.def)
- vyatta-cfg-quagga: (/opt/vyatta/share/vyatta-cfg/templates/interfaces/*/node.tag/ip/source-validation/node.def)
In vyatta-cfg-firewall all Interfaces and the all interfacces is configured.
In vyatta-cfg-quagga it's only configured at interface level
The default behavior is unconfigured.
sysctl.txt from the kernel documentation say's:
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
Default value is 0. Note that some distributions enable it
in startup scripts.Especially:
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.looks like that the current system makes it very confused. Then there is also:
net.ipv4.conf.default.rp_filter:
conf/default/*: Change the interface-specific default settings.
conf/all/*: Change all the interface-specific settings.
I thing we should discuss how we can handle this better and more understandable for the users.