1 2 3 |
|
http://blog.chinaunix.net/uid-20417916-id-3050031.html
反向路径过滤 – reverse path filter
一、原理
先介绍个非对称路由的概念
参考《Understanding Linux Network Internals》三十章,
30.2. Essential Elements of Routing
Symmetric routes and asymmetric routes
Usually, the route taken from Host A to Host B is the same as the route used to get back from Host B to Host A; the route is then called symmetric . In complex setups, the route back may be different; in this case, it is asymmetric.
关于反向路径过滤,参考《Understanding Linux Network Internals》三十一章,
31.7. Reverse Path Filtering
We saw what an asymmetric route is in the section “Essential Elements of Routing in Chapter 30. Asymmetric routes are not common, but may be necessary in certain cases. The default behavior of Linux is to consider asymmetric routing suspicious and therefore to drop any packet whose source IP address is not reachable through the device the packet was received from, according to the routing table.
However, this behavior can be tuned via /proc on a per-device basis, as we will see in Chapter 36. See also the section “Input Routing” in Chapter 35.
二、检查流程
如果一台主机(或路由器)从接口A收到一个包,其源地址和目的地址分别是10.3.0.2和10.2.0.2, 即, 如果启用反向路径过滤功能,它就会以为关键字去查找路由表,如果得到的输出接口不为A,则认为反向路径过滤检查失败,它就会丢弃该包。
关于反向路径过滤,ipv4中有个参数,这个参数的说明在Documentation/networking/ip-sysctl.txt中。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
三、源代码分析
git commit 373da0a2a33018d560afcb2c77f8842985d79594
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
|
五、如何解决
两种方法:
1 On R2:
ip route add 10.3.0.0/16 via 10.2.0.2
增加一条关于10.3.0.0/16子网的路由。
2 On R2:
/etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 0
禁用反向路径检查。