Andrew Morton <[EMAIL PROTECTED]> wrote:
>
> Using a fwmark as a key for selecting among multiple routing tables (via "ip
> rule" command) breaks the rp_filter functionality since the fwmark field is 
> not
> initialized in function fib_validate_source. Because of this there is no way 
> to
> assure that outgoing and incoming packets use the same routing table.

Yes this is a problem.  However, using the fwmark of the inbound packet
as the key to look up the inverse route isn't the best option since this
doesn't work if the mark generated by a real packet going in the inverse
direction is different.

This isn't the only problem that rp_filter has of course.  For example,
it fails to take IPsec policies into account as well.

So perhaps it is time to look at solving this problem in a different way.
One possible approach is to have an rp_filter check in netfilter that
constructs the inverse flow of the packet in question and performs all
relevant lookups, including netfilter and IPsec, before deciding whether
the packet is acceptable or not.  This would have the added benefit that
it can be turned on/off based on criteria other than the interface via
which a packet arrived on.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to