Bug 847757 - rp_filter support for IPv6
rp_filter support for IPv6
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 847707
  Show dependency treegraph
 
Reported: 2012-08-13 09:15 EDT by Florian Weimer
Modified: 2012-08-14 09:16 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-13 10:30:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Linux Kernel 6998 None None None 2012-08-13 09:15:09 EDT

  None (edit)
Description Florian Weimer 2012-08-13 09:15:09 EDT
There is currently no IPv6 support for rp_filter.  Without source address validation, ESTABLISHED and RELATED connection tracking in rules can match spoofed packets.  There is no good way to work around that, even with auto-generated filtering rules.
Comment 1 Josh Boyer 2012-08-13 10:30:33 EDT
You should take this up with the upstream networking developers on the netdev list.  Note that it has been proposed before, and David Miller was not very fond of the implemenation.  He suggested he might remove rp_filter from ipv4 at some point as well:

http://www.spinics.net/lists/netdev/msg166280.html
Comment 2 Florian Weimer 2012-08-14 09:16:58 EDT
Upstream added the rpfilter module in Linux 3.3, for IPv4 and IPv6.  This needs iptables 1.4.14 in user space for configuration.  I think this is something we can work with.

Note You need to log in before you can comment on or make changes to this bug.