- Why does Red Hat Enterprise Linux 6 drops packets when the route for outbound traffic differs from the route of incoming traffic?
- Why does Red Hat Enterprise Linux 6 differ from Red Hat Enterprise Linux 5 in handling asymmetrically routed packets?
- Red Hat Enterprise Linux (RHEL) 6
To accept asymmetrically routed (outgoing routes and incoming routes are different) packets set "
rp_filter" to 2 and restart networking, by running the following commands:
# echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter # echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
To make this behaviour persistent across reboot, modify
/etc/sysctl.conf and set
net.ipv4.conf.default.rp_filter = 2
prior to rebooting the system.
RHEL6 (unlike RHEL5) defaults to using Strict Reverse Path filtering.
net.ipv4.conf.default.rp_filter controls the default reverse path filtering setting for IPv4 networking. (It can be overridden per network interface through
Both RHEL6 and RHEL5 ship with a default
/etc/sysctl.conf that sets this sysctl to 1, but the meaning of this value is different between the RHEL6 and the RHEL5 kernel.
In RHEL5, the sysctl is documented as follows (cf.
rp_filter - BOOLEAN 1 - do source validation by reversed path, as specified in RFC1812 Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes. 0 - No source validation. conf/all/rp_filter must also be set to TRUE to do source validation on the interface Default value is 0. Note that some distributions enable it in startup scripts.
whereas in RHEL6 (cf.
/usr/share/doc/kernel-doc-2.6.32/Documentation/networking/ip-sysctl.txt) there are three possible values for this setting:
rp_filter - INTEGER 0 - No source validation. 1 - Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. 2 - Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended. conf/all/rp_filter must also be set to non-zero to do source validation on the interface Default value is 0. Note that some distributions enable it in startup scripts.
with the value
2 corresponding to the behaviour that value
1 provided in RHEL5.