Hello!
> Plus, I finally figured out that you can disable it with the
> /proc/sys/net/ipv4/conf/tap0/rp_filter sysctl.
rp_filter IS DISABLED by default!!! Look at dark corners,
apparently you have some virus, which enabled it. 8)
> Unsolicited opinion: the kernel seems to be taking network policy into its
> own hands here. Such restrictions can be handled by the IP firewall -- why
> do we have to have them in the main routing code as well?
rp_filter is policy, and it is turned off by default.
It makes thing, which is very difficult (to be more exact, infeasible
with existing software) to make with firewall rules and very easy
to make in routing.
The second, namely the fact, that sending spoofed packet to network
is not allowed, has nothing to do with policy. It is provides stack
self-consistency. BTW if superuser really wants to make it,
he marks them with MSG_PROXY flag or sends spoofed packets as raw packets.
Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
