Andrew Morton <[EMAIL PROTECTED]> wrote: > > Using a fwmark as a key for selecting among multiple routing tables (via "ip > rule" command) breaks the rp_filter functionality since the fwmark field is > not > initialized in function fib_validate_source. Because of this there is no way > to > assure that outgoing and incoming packets use the same routing table.
Yes this is a problem. However, using the fwmark of the inbound packet as the key to look up the inverse route isn't the best option since this doesn't work if the mark generated by a real packet going in the inverse direction is different. This isn't the only problem that rp_filter has of course. For example, it fails to take IPsec policies into account as well. So perhaps it is time to look at solving this problem in a different way. One possible approach is to have an rp_filter check in netfilter that constructs the inverse flow of the packet in question and performs all relevant lookups, including netfilter and IPsec, before deciding whether the packet is acceptable or not. This would have the added benefit that it can be turned on/off based on criteria other than the interface via which a packet arrived on. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
