-----BEGIN PGP SIGNED MESSAGE-----
On 15-Feb-2000 Mike A. Harris wrote:
> If one enables rp_filter with:
>
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> ... does it enable SAV on ALL interfaces past, present and
> future, or just the ones that are up?
>
> What document describes the conf/ dirs/files in detail? I've
> looked at various files in Documentation which do help, however
> I'm still left puzzled.
>
> In several scripts people have sent me there is code like the
> following:
>
> if [ -e $PROCNET/conf/all/rp_filter ]; then
> echo -n "Enabling kernel level source address verification "
> echo -n "IP spoofing protection: "
> for f in $PROCNET/conf/*/rp_filter
> do
> echo 1 > $f
> done
> echo "done."
> else
> echo "WARNING: SAV IP spoofing could not be enabled."
> echo "Manual rule based IP spoofing not implemented yet."
> fi
>
>
> When I read the above, the for loop seems redundant to me. Why
> echo 1 to every dir's rp_filter? Is that not what the "all"
> directory is for?
>
> Are the following two equivalent?
>
> 1) for f in /proc/sys/net/ipv4/conf/*/rp_filter
> do
> echo 1 > $f
> done
>
>
>
> 2) echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
>
>
> What is the "default" one for?
>
> Please feel free to point me to the exact document that
> accurately and unambiguously describes all of this.
>
> I really appreciate it, thanks.
> TTYL
[snip]
See fib_validate_source() in net/ipv4/fib_fronend.c on what it does
It checks on per device basis. So it should check the value in
/proc/sys/net/ipv4/conf/$device/rp_filter for an interface that is already up.
the all values if I recall correctly are copied as defaults at device init. So
they affect newly config'ed devices.
include "stdisclaimer.h"
- ----------------------------------
Anton R. Ivanov
IP Engineer Level3 Communications
RIPE: ARI2-RIPE E-Mail: Anton Ivanov <aivanov@eu.level3.net>
@*** Segal's Law ***
A man with one watch knows what time it is;
a man with two watches is never sure.
- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEVAwUBOKkyUSlWAw/bM84zAQEupwf/cVzcgZzxwq7T4dA/hAvRnF4ZF5yHKZmq
GbiJDmDRsVTTh1al24eqhM9IVm/iXLdOlydZqJa7qO1yTbE3TGdrdnPxnohDFSSE
egIX76Dgik8i10qxxeShePSv4CajmJYpTxpu2Qcnr0iatA7Je2CO68jDcoNG9p98
9zaAcdOwIbsA3qFgjPuO6pGp56jCFmUAB0mlLiz5xBmh2+lC3UYAN3v6U8Q3GnMw
xZS6Vb6+Uz9jWrXbxIQiAHcTFgVdwpY9DWdBTTsmSPEeXioS+zq4sxomgDwwD/RL
0FDfJwn4776H4rLJFPvpLxX7H0j/SOM7Ndhak4P24igbCDxsZb1nZg==
=rssr
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 15 2000 - 21:00:29 EST