847757 – rp_filter support for IPv6

Bug 847757 - rp_filter support for IPv6

Summary: rp_filter support for IPv6

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	847707
TreeView+	depends on / blocked

Reported:	2012-08-13 13:15 UTC by Florian Weimer
Modified:	2012-08-14 13:16 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-08-13 14:30:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Linux Kernel	6998	0	None	None	None	2019-05-07 07:17:45 UTC

Description Florian Weimer 2012-08-13 13:15:09 UTC

There is currently no IPv6 support for rp_filter.  Without source address validation, ESTABLISHED and RELATED connection tracking in rules can match spoofed packets.  There is no good way to work around that, even with auto-generated filtering rules.

Comment 1 Josh Boyer 2012-08-13 14:30:33 UTC

You should take this up with the upstream networking developers on the netdev list.  Note that it has been proposed before, and David Miller was not very fond of the implemenation.  He suggested he might remove rp_filter from ipv4 at some point as well:

http://www.spinics.net/lists/netdev/msg166280.html

Comment 2 Florian Weimer 2012-08-14 13:16:58 UTC

Upstream added the rpfilter module in Linux 3.3, for IPv4 and IPv6.  This needs iptables 1.4.14 in user space for configuration.  I think this is something we can work with.

Note You need to log in before you can comment on or make changes to this bug.