On 2013-04-02 01:50, Trevor Cordes wrote:
On 2013-03-31 Robert Keizer wrote:
Keep in mind that turning off rp filter means that packets which match an IP for any interface will be accepted on all.
Is that what it does? I just remember multihome just would not work at all until I set rp to 0.
"RP" stands for "Reverse Path". The RP Filter filters out any traffic that could/should not reasonably have arrived on that interface, based on the routing tables. So if you receive a packet from, say, 8.8.8.8, it will be dropped UNLESS there's an active route pointing to 8.8.8.8 out that interface.
Also, I've found in my tests that the packets always come back to the correct modem. I've never seen any randomness; packets coming back into the wrong modem.
That would be essentially impossible in your case. It can and does happen with multihomed addresses that are portable, i.e. the same IP address(es) are reachable through more than one path (or ISP).
I have no idea how iptables/netfilter and/or the kernel even would react to such packets if they did exist.
With rp_filter=0, they would be accepted. With rp_filter=1, they might be accepted, depending on your routing table.
Either way, if it's not a security issue and if it all works as-is, I'm not too concerned :-)
Well, a spoofing risk does exist but in a multi-homed scenario is almost irrelevant by design. If you're simultaneously connected to Shaw and MTS, you could in theory filter Shaw's netblock on the MTS link (and vice-versa) on the assumption that the "best" route from any internal Shaw IP to you would be via the Shaw cable modem and never the MTS DSL modem. It's a pretty small risk, IMHO. The design of both networks makes it very difficult to do that kind of spoofing.
-Adam