Bug 847757

Summary: rp_filter support for IPv6
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, pmatouse, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-13 14:30:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 847707    

Description Florian Weimer 2012-08-13 13:15:09 UTC 
There is currently no IPv6 support for rp_filter.  Without source address validation, ESTABLISHED and RELATED connection tracking in rules can match spoofed packets.  There is no good way to work around that, even with auto-generated filtering rules.
Comment 1 Josh Boyer 2012-08-13 14:30:33 UTC 
You should take this up with the upstream networking developers on the netdev list.  Note that it has been proposed before, and David Miller was not very fond of the implemenation.  He suggested he might remove rp_filter from ipv4 at some point as well:

http://www.spinics.net/lists/netdev/msg166280.html
Comment 2 Florian Weimer 2012-08-14 13:16:58 UTC 
Upstream added the rpfilter module in Linux 3.3, for IPv4 and IPv6.  This needs iptables 1.4.14 in user space for configuration.  I think this is something we can work with.