Re: BCP38 on public-facing Ubuntu servers

[Jay Vosburgh <jay.vosburgh () canonical com>]

Grant Taylor via NANOG <nanog () nanog org> wrote:

> On 6/3/21 8:44 AM, William Herrin wrote:
> > rp_filter is great until your network is slightly less than a perfect
> > hierarchy. Then your Linux "router" starts mysteriously dropping packets
> > and, as with allow_local, Linux doesn't have any way to generate logs
> > about it so you end up with these mysteriously unexplained packet
> > discards matching no conceivable rule in iptables... This failure has
> > too often been the bane of my existence when using Linux for advanced
> > networking.
>
> I don't remember the particulars, but I thought that was the domain of
> log_martians (net.ipv4.conf.*.log_martians).
>
> Without log_martians or explicitly looking for such, no, you won't get any
> indication of such drops.

        Yes, enabling the log_martians sysctl will generate a kernel log
message for each rp_filter failure (subject to rate limiting).  There
are also stat counters in /proc/net/stat/rt_cache (one line per CPU) for
in_martian_dst and in_martian_src which increment regardless of the
log_martians setting.

        The rp_filter sysctl defaults to strict mode (== 1) on Ubuntu,
but can be set to loose mode (== 2); the difference is, essentially, in
strict mode the reverse path must be the same interface as the ingress
interface, whereas in loose mode the reverse path can be any interface
(as long as the source address is reachable).

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst

        -J

---
        -Jay Vosburgh, jay.vosburgh () canonical com