RE: BCP38 on public-facing Ubuntu servers

[Jean St-Laurent via NANOG <nanog () nanog org>]

Bingo! 

With the -t raw, you can bypass the 1.2 Mpps limitation in iptables per cpusocket, because it's doing a very early drop 
without crossing the full iptables kernel modules.

You can reach close to wrirespeed with the -t raw compare to using the same iptables without -t raw.

Jean

-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me () nanog org> On Behalf Of Fran via NANOG
Sent: June 8, 2021 5:39 PM
To: nanog () nanog org
Subject: Re: BCP38 on public-facing Ubuntu servers

Hey,



to my knowledge there is no IPv6 equivalent for net.ipv4.conf.all.rp_filter.

Therefore I use netfilter to do the RP filtering for both address families.



ip(6)tables -t raw -I PREROUTING -m rpfilter --invert -j DROP



Using the raw tables less resources are used, but you could also choose other tables.
Details abour rpfilter can be found here [1].


This can also be achieved using nftables [2].


Best

Fran

[1] https://ipset.netfilter.org/iptables-extensions.man.html#lbBX
[2] https://wiki.nftables.org/wiki-nftables/index.php/Matching_routing_information



On 04.06.21 20:43, Jay Vosburgh wrote:
> Grant Taylor via NANOG <nanog () nanog org> wrote:
>
> > On 6/3/21 8:44 AM, William Herrin wrote:
> > > rp_filter is great until your network is slightly less than a 
> > > perfect hierarchy. Then your Linux "router" starts mysteriously 
> > > dropping packets and, as with allow_local, Linux doesn't have any 
> > > way to generate logs about it so you end up with these mysteriously 
> > > unexplained packet discards matching no conceivable rule in 
> > > iptables... This failure has too often been the bane of my existence 
> > > when using Linux for advanced networking.
> >
> > I don't remember the particulars, but I thought that was the domain 
> > of log_martians (net.ipv4.conf.*.log_martians).
> >
> > Without log_martians or explicitly looking for such, no, you won't 
> > get any indication of such drops.
>
>       Yes, enabling the log_martians sysctl will generate a kernel log 
> message for each rp_filter failure (subject to rate limiting).  There 
> are also stat counters in /proc/net/stat/rt_cache (one line per CPU) 
> for in_martian_dst and in_martian_src which increment regardless of 
> the log_martians setting.
>
>       The rp_filter sysctl defaults to strict mode (== 1) on Ubuntu, but 
> can be set to loose mode (== 2); the difference is, essentially, in 
> strict mode the reverse path must be the same interface as the ingress 
> interface, whereas in loose mode the reverse path can be any interface 
> (as long as the source address is reachable).
>
> https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst
>
>       -J
>
> ---
>       -Jay Vosburgh, jay.vosburgh () canonical com