Red Hat Bugzilla – Bug 847757
rp_filter support for IPv6
Last modified: 2012-08-14 09:16:58 EDT
There is currently no IPv6 support for rp_filter. Without source address validation, ESTABLISHED and RELATED connection tracking in rules can match spoofed packets. There is no good way to work around that, even with auto-generated filtering rules.
You should take this up with the upstream networking developers on the netdev list. Note that it has been proposed before, and David Miller was not very fond of the implemenation. He suggested he might remove rp_filter from ipv4 at some point as well:
Upstream added the rpfilter module in Linux 3.3, for IPv4 and IPv6. This needs iptables 1.4.14 in user space for configuration. I think this is something we can work with.