Linux kernel Reverse Path Filtering (RPF) analyze_routing and reverse path filtering实验-CSDN博客

本文深入解析Linux内核的Reverse Path Filtering (RPF) 技术，该技术通过验证数据包的源IP地址来防止源地址欺骗，常用于抵御DoS攻击。文章详细介绍了RPF的工作原理、不同设置级别（0、1、2）的意义及其对数据包处理的影响，并展示了如何通过sysctl命令查看和修改Linux系统的RPF配置。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

原文链接

Linux kernel Reverse Path Filtering (RPF) analyze

Linux kernel Reverse Path Filtering (RPF) analyze
2015/03/10 (lvs)

Reverse Path Filtering (RPF) is a technology that is used on InternetProtocol routers to try and prevent source address spoofing, which is often used for DenialOfService attacks.

RPF works by checking the source IP of each packet received on an interface against the routing table. If the best route for the source IP address does not use the same interface that the packet was received on the packet is dropped. There are some situations where this feature will obviously not be the desired behaviour and will need to be disabled. In general if you are not multi-homed then enabling RPF on your router will not be a problem.
linux系统内核参数中有rp_filter标志分析

sysctl -a|grep rp_filter

[root@router1 ipv4]# 
[root@router1 ipv4]# sysctl -a|grep rp_filter
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.GE4.rp_filter = 1
net.ipv4.conf.GE4.arp_filter = 0
net.ipv4.conf.GE2.rp_filter = 1
net.ipv4.conf.GE2.arp_filter = 0
net.ipv4.conf.GE1.rp_filter = 1
net.ipv4.conf.GE1.arp_filter = 0
net.ipv4.conf.GE3.rp_filter = 1
net.ipv4.conf.GE3.arp_filter = 0
[root@router1 ipv4]#

rp_filter – INTEGER

0 – No source validation.
1 – Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.

2 – Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet’s source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.

0 设置表示对进来的包完全不作检查
1 设置表示严格检查，从哪个interface进，一定要从哪个interface出，发现不是同一个interface 的包，就不返回。
2 设置表示不太严格，只要本机配置了这个ip 不管它配置在哪个接口上，还是可以返回的。

echo 0 > /proc/sys/net/ipv4/conf/GE2/rp_filter