Hi Don, First off, some parts of this mail is a little bit off topic for this mailing list. iptables should be brought up at [EMAIL PROTECTED] Anyways, I haven't seen any answer to your questions on the list so far, so I'll do my best at answering them.
----- Original Message ----- From: "Don Cohen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 03, 2002 7:31 PM Subject: [LARTC] rp filter questions > > The rp_filter is also explained here: > > http://lartc.org/HOWTO//cvs/2.4routing/html/c1182.html#AEN1188 > above says: > for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do > echo 1 > $i > done > > First question: > ls /proc/sys/net/ipv4/conf/*/rp_filter > => > /proc/sys/net/ipv4/conf/all/rp_filter > /proc/sys/net/ipv4/conf/default/rp_filter > /proc/sys/net/ipv4/conf/eth0/rp_filter > /proc/sys/net/ipv4/conf/eth1/rp_filter > /proc/sys/net/ipv4/conf/eth2/rp_filter > /proc/sys/net/ipv4/conf/lo/rp_filter > > What do all and default do? >From my lack of understanding, all will change the behaviour on all interfaces, while >default contains the default values at all time, disregarding of what the others are >set to. Of course, I haven't actually checked if this is correct, nor am I an expert >in the area... In other words, do not kill me for being wrong;). I would make a >general guess that the best answer would be given at the [EMAIL PROTECTED] mailing >list. > Could the look above be replaced by just one? > > Second question: > How does the runtime cost of rp_filter compare with that of rules like > iptables -A FORWARD -i eth1 -s ! 10.0.0.0/8 -j DROP > I would make a small guess that it will mean less overhead with rp_filter since it is working inside the ipv4 core while netfilter is layered on top of the ipv4 core and requires a little bit more calls inside the kernel. Again, I may very possibly be wrong. The best answer would probably be given at the [EMAIL PROTECTED] or [EMAIL PROTECTED] > I assume in one case you have to do a route lookup, in the other you > have to iterate over the appropriate rules. What are these costs? > Ideally the answers should be in terms of variables we know, such as > the number of rules, the number of rules per interface, the number of > routes, etc. > Again, I believe this is slightly off topic, but I may be wrong. Your best bet are the above mentioned mailing lists. Have a nice day, Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED] > > _______________________________________________ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
