内核rp_filter参数

最新推荐文章于 2024-02-15 19:41:19 发布
最新推荐文章于 2024-02-15 19:41:19 发布
阅读量534 收藏
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/huangzx3/article/details/97785048
版权

内核文档:https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt 搜其关键字,可见rp_filter定义如下:

rp_filter - INTEGER
	0 - No source validation.
	1 - Strict mode as defined in RFC3704 Strict Reverse Path
	    Each incoming packet is tested against the FIB and if the interface
	    is not the best reverse path the packet check will fail.
	    By default failed packets are discarded.
	2 - Loose mode as defined in RFC3704 Loose Reverse Path
	    Each incoming packet's source address is also tested against the FIB
	    and if the source address is not reachable via any interface
	    the packet check will fail.

	Current recommended practice in RFC3704 is to enable strict mode
	to prevent IP spoofing from DDos attacks. If using asymmetric routing
	or other complicated routing, then loose mode is recommended.

	The max value from conf/{all,interface}/rp_filter is used
	when doing source validation on the {interface}.

	Default value is 0. Note that some distributions enable it
	in startup scripts.

在RFC3704文档https://tools.ietf.org/html/rfc3704#page-5 中可见Strict Reverse Path Forwarding定义如下:

Strict Reverse Path Forwarding (Strict RPF) is a simple way to
   implement an ingress filter.  It is conceptually identical to using
   access lists for ingress filtering, with the exception that the
   access list is dynamic.  This may also be used to avoid duplicate
   configuration (e.g., maintaining both static routes or BGP prefix-
   list filters and interface access-lists).  The procedure is that the
   source address is looked up in the Forwarding Information Base (FIB)
   - and if the packet is received on the interface which would be used
   to forward the traffic to the source of the packet, it passes the
   check.

   Strict Reverse Path Forwarding is a very reasonable approach in front
   of any kind of edge network; in particular, it is far superior to
   Ingress Access Lists when the network edge is advertising multiple
   prefixes using BGP.  It makes for a simple, cheap, fast, and dynamic
   filter.

   But Strict Reverse Path Forwarding has some problems of its own.
   First, the test is only applicable in places where routing is
   symmetrical - where IP datagrams in one direction and responses from
   the other deterministically follow the same path.  While this is
   common at edge network interfaces to their ISP, it is in no sense
   common between ISPs, which normally use asymmetrical "hot potato"
   routing.  Also, if BGP is carrying prefixes and some legitimate
   prefixes are not being advertised or not being accepted by the ISP
   under its policy, the effect is the same as ingress filtering using
   an incomplete access list: some legitimate traffic is filtered for
   lack of a route in the filtering router's Forwarding Information
   Base.

   There are operational techniques, especially with BGP but somewhat
   applicable to other routing protocols as well, to make strict RPF
   work better in the case of asymmetric or multihomed traffic.  The ISP
   assigns a better metric which is not propagated outside of the
   router, either a vendor-specific "weight" or a protocol distance to
   prefer the directly received routes.  With BGP and sufficient
   machinery in place, setting the preferences could even be automated,
   using BGP Communities [2].  That way, the route will always be the
   best one in the FIB, even in the scenarios where only the primary
   connectivity would be used and typically no packets would pass

 

Bear.Huang
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
linux 多播网卡设置,rp_filter及Linux下多网卡接收多播的问题
weixin_33560311的博客
05-01 1265
工作中曾遇到一个很奇怪的问题,我奉命调查。事情是这样的,有一台双网卡的机器,上面装有Fedora8,运行一个程序。该程序分别在两个网口上都接收多播数据,程序运行是正常的。但是,后来升级系统到Fedora13,发现就出问题了:在运行几秒钟后,第2个网口上就接收不到多播数据了。能不能收到多播,取决于交换机是不是往这个网口上转发多播数据。程序在起动的时候,会发一个IGMP的AddMembership的消...
Linux内核参数rp_filter
weixin_30667649的博客
08-29 574
一、rp_filter参数介绍 rp_filter参数用于控制系统是否开启对数据包源地址的校验。 首先看一下Linux内核文档documentation/networking/ip-sysctl.txt中的描述: rp_filter - INTEGER 0 - No source validation. 1 - Strict mode as defined in RFC3704 Str...
Linux的rp_filter与策略路由
系统运维
09-05 319
Linux的rp_filter用于实现反向过滤技术,也即uRPF,它验证反向数据包的流向,以避免伪装IP攻击,但是它和Linux的策略路由却很容易发生冲突,其本质原因在于,uRPF技术强制规定了一个反向包的“方向”,而实际的路由是没有方向的。策略路由并没有错,错就错在uRPF增加了一个路由概念本身并没有且从不考虑的约束。典型的例子如下。0.基本环境内网口:eth0外网口1:eth1外网口2:eth...
rp_filter参数 及 阿里云SLB使用注意
编程圈子-谢厂节的博客
03-22 1686
作用 rp_filter参数用于控制系统是否开启对数据包源地址的校验。 参考文档: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt 中文: 即rp_filter参数有三个值,0、1、2,具体含义: 0:不开启源地址校验。 1:开启严格的反向路径校验。对每个进来的数据包,校验其反向路径是否是最佳路 径。...
Linux内核的 反向路由检查机制rp_filter
u014644574的博客
04-12 1618
Linux内核的 反向路由检查机制rp_filter
Linux利用Sysctl命令调整内核参数
09-15
- `net.ipv4.conf.default.rp_filter`:设置为`1`启用反向路径过滤,检查数据包来源。 - `net.ipv4.tcp_syncookies`:设置为`1`启用TCP同步 cookie,防御SYN flood攻击。 - `net.ipv4.tcp_max_syn_backlog`:设置TCP...
oracle11g安装时内核参数设置
12-10
- **`net.ipv4.conf.default.rp_filter=1`**:启用逆向路径过滤(Reverse Path Forwarding),这是一种防止源地址欺骗的安全机制。设置为1表示严格模式,可以提高网络安全性,防止DDoS攻击等恶意行为。 - **`...
linux sysctl参数配置详细介绍
09-15
6. **net.ipv4.conf.default.rp_filter** - 反向路径过滤(RPFilter)用于防止IP欺骗。设置为1意味着默认开启。 7. **net.ipv4.conf.default.accept_source_route** - 设置为0可以阻止接收源路由,从而提高安全性。...
系统优化参数大全
09-10
- 参数: `net.ipv4.conf.default.rp_filter` - 设置: `1` - 说明: 启用严格的源路由验证机制,有助于防止源地址欺骗攻击。 3. **禁用IP源路由**: - 参数: `net.ipv4.conf.default.accept_source_route` - 设置...
linux性能优化参数解释
08-15
**net.ipv4.conf.*.rp_filter** 设置为`1`,启用反向路径过滤(Reverse Path Forwarding),这是一种基于源地址验证机制的安全措施,用于防止IP欺骗。 #### 4. **net.ipv4.conf.*.accept_redirects** 设为`0`,...
rp_filter
05-18 4462
The rp_filter can reject incoming packets if theirsource address doesn’t match the network interface that they’rearriving on, which helps to prevent IP spoofing. Turning this on,however, has i
反向过滤--rp_filter
yunlianglinfeng的专栏
08-22 5805
一、原理 先介绍个非对称路由的概念 参考《Understanding Linux Network Internals》三十章, 30.2. Essential Elements of Routing Symmetric routes and asymmetric routes Usually, the route taken from Host A to Host B is the sa
linux双网卡rp_filter,rp_filter及Linux下多网卡接收多播的问题
weixin_35972199的博客
05-06 1083
有一台双网卡的机器,上面装有Fedora8,运行一个程序。该程序分别在两个网口上都接收多播数据,程序运行是正常的。但是,后来升级系统到Fedora13,发现就出问题了:在运行几秒钟后,第2个网口上就接收不到多播数据了。能不能收到多播,取决于交换机是不是往这个网口上转发多播数据。程序在起动的时候,会发一个IGMP的AddMembership的消息,交换机将把这个网口加入多播组。当在其他网口上收到该地...
通过设置内核参数rp_filter解决linux第二块网卡无法跨网络访问的问题
qd89zzx的博客
12-25 1106
当test-single-lan2 ping 192.168.30.22时,tcpdump icmp包看了一下,发现只有请求的包,test-dual-vpc没有给响应。问题差不多明了了,当test-single-lan2 ping 192.168.30.22时,接收请求的网卡是eth1,而根据默认路由需要经过eth0发响应报文。从上面的配置直观来看,test-single-lan2这台虚机无论与test-dual-vpc的任意一块网卡交互,应该都是联通的。同在30网段的机器,就是通过eth1发出去的。
反向过滤技术rpfilter
mueryidao的专栏
08-07 3697
项目中有一个操作是  echo "+ make sure the rp_filter is disabled on br0" for i in `find /proc/sys/net -name rp_filter`; do echo 0 > $i done
Linux rp_filter配置引起的组播断流问题
weixin_30530523的博客
08-30 1358
引子   前一段时间处理一个线上问题,服务器拉组播码流,但是每隔3-4分钟就断流一次,引起服务异常。排除了交换机和组播网络的问题后, 确认问题还是在服务器侧。 组播为什么断流?   前方工程人员抓包确认,交换机发送了igmp general query报文,但是服务器没有响应组播report报文,交换机上igmp条目超时退出,导致断流。   抓包分析如下: ...
Linux内核参数 rp_filter
shijin741231的博客
02-01 251
rp_filter (Reverse Path Filtering)参数定义了网卡对接收到的数据包进行反向路由验证的规则。0:关闭反向路由校验1:开启严格的反向路由校验。对每个进来的数据包,校验其反向路由是否是最佳路由。如果反向路由不是最佳路由,则直接丢弃该数据包。2:开启松散的反向路由校验。对每个进来的数据包,校验其源地址是否可达,即反向路由是否能通(通过任意网口),如果反向路径不通,则直接丢弃该数据包。
Linux rp_filter、arp_filter、arp_ignore、arp_announce参数说明
最新发布
shijin741231的博客
02-15 1513
Linux rp_filter、arp_filter、arp_ignore、arp_announce参数说明。我查看了参考资料,又去查阅了官方文档,凭着我的理解整理了以下文档。
sysctl net.ipv4.conf.all.rp_filter
07-12
该命令用于查看和设置 Linux 内核参数 `net.ipv4.conf.all.rp_filter` 的值。这个参数控制了反向路径过滤的行为。反向路径过滤用于防止 IP 欺骗攻击,它会检查接收到的网络数据包的源 IP 地址是否可以通过相同的接口...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值