Page MenuHomeVyOS Platform
Create Task
Maniphest T3224

Implement 'feasible' RPF
Needs reporter action, WishlistPublic
Actions

Description

Reverse Path Forwarding (RPF) as defined in RFC 3704 specifies 3 modes: 'strict' (drop traffic if the ingress interface does not have the best egress route to the source), 'feasible' (drop traffic if the ingress interface has no egress route to the source), and 'loose' (drop traffic if the entire system has no egress route to the source).

VyOS currently only implements the 'strict' and 'loose' modes:

set firewall source-validation 'strict'

and

set firewall source-validation 'loose'

I would like to see 'feasible' mode added as a third option, as it is a very pragmatic compromise between the existing 'strict' and 'loose' modes.

Details

Difficulty level
Unknown (require assessment)
Version
1.3.x
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

matzus created this task.Jan 16 2021, 7:12 PM
matzus created this object in space S1 VyOS Public.
matzus updated the task description. (Show Details)Jan 16 2021, 7:14 PM
matzus updated the task description. (Show Details)
dmbaturin triaged this task as Wishlist priority.Jan 9 2024, 8:30 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta, VyOS 1.5 Circinus; removed vyatta-cfg-firewall.
dmbaturin set Issue type to Unspecified (please specify).
dmbaturin assigned this task to n.fort.Feb 15 2024, 12:42 PM
dmbaturin added a project: Restricted Project.
dmbaturin changed Is it a breaking change? from Behavior change to Perfectly compatible.
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 15 2024, 3:06 PM
c-po added a subscriber: c-po.Mar 7 2024, 9:05 PM

Hi @matzus,

could you provide us with a documentational like answer how you would implement the requested thing?
We have not yet found a good solution/idea internally and wanted to loop you in on this.

c-po changed the task status from Open to Needs reporter action.Mar 7 2024, 9:05 PM
pasik added a subscriber: pasik.Mar 7 2024, 9:17 PM
csszep added a subscriber: csszep.Mar 8 2024, 11:26 AM

I'm not the original reporter, but i think this is already implemented in T3509 and T5550

https://github.com/vyos/vyos-1x/pull/2793

dmbaturin removed projects: VyOS 1.4 Sagitta (1.4.0-epa1), Restricted Project.Fri, Apr 12, 3:10 PM