Bug 847757 - rp_filter support for IPv6
Summary: rp_filter support for IPv6
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 847707
TreeView+ depends on / blocked
 
Reported: 2012-08-13 13:15 UTC by Florian Weimer
Modified: 2012-08-14 13:16 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-08-13 14:30:33 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Linux Kernel 6998 0 None None None 2019-05-07 07:17:45 UTC

Description Florian Weimer 2012-08-13 13:15:09 UTC
There is currently no IPv6 support for rp_filter.  Without source address validation, ESTABLISHED and RELATED connection tracking in rules can match spoofed packets.  There is no good way to work around that, even with auto-generated filtering rules.

Comment 1 Josh Boyer 2012-08-13 14:30:33 UTC
You should take this up with the upstream networking developers on the netdev list.  Note that it has been proposed before, and David Miller was not very fond of the implemenation.  He suggested he might remove rp_filter from ipv4 at some point as well:

http://www.spinics.net/lists/netdev/msg166280.html

Comment 2 Florian Weimer 2012-08-14 13:16:58 UTC
Upstream added the rpfilter module in Linux 3.3, for IPv4 and IPv6.  This needs iptables 1.4.14 in user space for configuration.  I think this is something we can work with.


Note You need to log in before you can comment on or make changes to this bug.