linux内核路由反向检查,反向路径过滤——reverse path filter
反向路徑過濾——reverse path filter
一、原理
先介紹個非對稱路由的概念
參考《Understanding Linux Network Internals》三十章,
30.2. Essential Elements of Routing
Symmetric routes and asymmetric routes
Usually, the route taken from Host A to Host B is the same as the route used to get back from Host B to Host A; the route is then called symmetric . In complex setups, the route back may be different; in this case, it is asymmetric.
關于反向路徑過濾,參考《Understanding Linux Network Internals》三十一章,
31.7. Reverse Path Filtering
We saw what an asymmetric route is in the section "Essential Elements of Routing in Chapter 30. Asymmetric routes are not common, but may be necessary in certain cases. The default behavior of Linux is to consider asymmetric routing suspicious and therefore to drop any packet whose source IP address is not reachable through the device the packet was received from, according to the routing table.
However, this behavior can be tuned via /proc on a per-device basis, as we will see in Chapter 36. See also the section "Input Routing" in Chapter 35.
二、檢查流程
如果一臺主機(或路由器)從接口A收到一個包,其源地址和目的地址分別是10.3.0.2和10.2.0.2,
即, 如果啟用反向路徑過濾功能,它就會以為關鍵字去查找路由表,如果得到的輸出接口不為A,則認為反向路徑過濾檢查失敗,它就會丟棄該包。
關于反向路徑過濾,ipv4中有個參數,這個參數的說明在Documentation/networking/ip-sysctl.txt中。
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
Default value is 0. Note that some distributions enable it
in startup scripts.
三、源代碼分析
git commit 373da0a2a33018d560afcb2c77f8842985d79594
net/ipv4/fib_frontend.c
192 int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos,
193???????????????????????? int oif, struct net_device *dev, __be32 *spec_dst,
194???????????????????????? u32 *itag)
195 {
// 是否啟用反向路徑過濾
216???????? /* Ignore rp_filter for packets protected by IPsec. */
217???????? rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(in_dev);
// 檢查路由表
// 注意這里的源地址賀目的地址是反過來的,
// 看看其他函數是如何調用fib_validate_source()就明白了。
227???????? if (fib_lookup(net, &fl4, &res))
228???????????????? goto last_resort;
// 運行到這里,說明反向路由是可達的
// 下面分成兩種情況檢查輸出設備是否就是輸入設備
237 #ifdef CONFIG_IP_ROUTE_MULTIPATH
// 啟用多路徑時,任意一個匹配,就用它了
238???????? for (ret = 0; ret < res.fi->fib_nhs; ret++) {
239???????????????? struct fib_nh *nh = &res.fi->fib_nh[ret];
240
241???????????????? if (nh->nh_dev == dev) {
242???????????????????????? dev_match = true;
243???????????????????????? break;
244???????????????? }
245???????? }
246 #else
247???????? if (FIB_RES_DEV(res) == dev)
248???????????????? dev_match = true;
249 #endif
250???????? if (dev_match) {
// 反向路徑過濾檢查成功了,返回
251???????????????? ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
252???????????????? return ret;
253???????? }
254???????? if (no_addr)
255???????????????? goto last_resort;
// 運行到這里,說明反向路徑檢查是失敗的,
// 如果rpf為1,表示反向路徑檢查必須成功才能正常返回,
// 否則只好返回錯誤。
256???????? if (rpf == 1)
257???????????????? goto e_rpf;
278 e_rpf:
279???????? return -EXDEV;
四、實例
本網絡有三臺機器,R1, R2 和PC,子網掩碼都是255.255.0.0。
R2 (10.1.0.2) ---- (10.1.0.1) R1 (10.3.0.1) ---- (10.3.0.2) PC
R2 (10.2.0.2) ---- (10.2.0.1) R1
注意,設置R2的默認路由為10.1.0.1
現在,從PC上能夠ping通10.1.0.2,但是ping不通10.2.0.2。
tcpdump顯示,R2接到icmp request,但是不發送icmp reply。
PC
$ ip a
inet 10.3.0.2/16 brd 10.3.255.255 scope global eth0
$ ip r
10.3.0.0/16 dev eth0? proto kernel? scope link? src 10.3.0.2
default via 10.3.0.1 dev eth0
R1
$ ip a
inet 10.1.0.1/16 brd 10.1.255.255 scope global eth1
inet 10.2.0.1/16 brd 10.2.255.255 scope global eth2
inet 10.3.0.1/16 brd 10.3.255.255 scope global eth3
$ ip r
10.1.0.0/16 dev eth1? proto kernel? scope link? src 10.1.0.1
10.2.0.0/16 dev eth2? proto kernel? scope link? src 10.2.0.1
10.3.0.0/16 dev eth3? proto kernel? scope link? src 10.3.0.1
R2
$ ip a
inet 10.1.0.2/16 brd 10.1.255.255 scope global eth1
inet 10.2.0.2/16 brd 10.2.255.255 scope global eth2
$ ip r
10.1.0.0/16 dev eth1? proto kernel? scope link? src 10.1.0.2
10.2.0.0/16 dev eth2? proto kernel? scope link? src 10.2.0.2
default via 10.1.0.1 dev eth1
請問這是什么原因?
你可以返回去細細思考5分鐘......
我的回答:
假設R2的兩個接口分別為A(10.1.0.2)、B(10.2.0.2)。
從PC ping 10.2.0.2時,包的路徑是PC-->10.3.0.1-->10.2.0.2,
此時包的 ,
以進行反向路徑檢查, 得到輸出設備是A,
因為目的地址是10.3.0.2,只能使用默認路由。A!=B,反向路徑檢查失敗,
丟棄該包!
五、如何解決
兩種方法:
1 On R2:
ip route add 10.3.0.0/16 via 10.2.0.2
增加一條關于10.3.0.0/16子網的路由。
2 On R2:
/etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 0
禁用反向路徑檢查。
閱讀(1409) | 評論(0) | 轉發(0) |
總結
以上是生活随笔為你收集整理的linux内核路由反向检查,反向路径过滤——reverse path filter的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: linux添加固件到内核,树莓派4 BC
- 下一篇: linux postgres用户,关于l