Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:arp_problems [2024/12/05 09:42] – [Problemi ARP] niccolo
+++ doc:appunti:linux:sa:arp_problems [2024/12/05 12:12] (current) – [rp_filter=1] niccolo
@@ Line 14: / Line 14: @@
 === Reverse Path Filter (rp_filter) ===
-=== ARP ... arp_ignore ===
+This is a **filter** on **incoming packets**. If reverse path filtering is enabled, kernel may drops packets that do not arrive on the expected interface according to the routing table.
+=== Ignore received ARP requests (arp_ignore) ===
+This is a **filter** on **outgouing packets** (responses to ARP requests).
 ======  ======
-^ rp_filter  | **0** (default): No source validation.\\ **1**: Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.\\ **2**: Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.  |
+^ rp_filter  | **0** (default): No source validation.\\ **1**: Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB (forwarding information base) and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.\\ **2**: Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.  |
-^ arp_ignore  | **0** (default): reply for any local target IP address, configured on any interface.\\ **1**:  Reply only if the target IP address is local address configured on the incoming interface.\\ **2**: Reply only if the target IP address is local address configured on the incoming interface and both with the sender's IP address are part from same subnet on this interface.\\ **3**: ...   |
+^ arp_ignore  | **0** (default): reply for any local target IP address, configured on any interface.\\ **1**:  Reply only if the target IP address is local address configured on the incoming interface.\\ **2**: Reply only if the target IP address is local address configured on the incoming interface and both with the sender's IP address are part from same subnet on this interface.\\ **3**: Do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied.  |
@@ Line 42: / Line 46: @@
 Con il parametro **rp_filter=1** il pacchetto ARP ricevuto viene ispezionato: se l'interfaccia su cui è stato ricevuto non corrisponde alla route che si dovrebbe usare per comunicare con l'IP sorgente, il pacchetto viene scartato (nota bene: il pacchetto //ARP request// **contiene l'indirizzo IP** dell'host che lo ha generato).
+**ATTENZIONE**: Alcuni software modificano questo parametro a seconda della propria configurazione; ad esempio Shorewall imposta **rp_filter=1** se nel file **/etc/shorewall/interfaces** l'interfaccia viene impostata con l'opzione **routefilter**, altrimenti il parametro viene reimpostato a zero.
 ===== arp_ignore=2 =====