[Shorewall-users] Router filtering not working

Eric E. Bowles bowles at VarioSecure.Net
Thu Oct 30 16:01:35 PST 2003

Hi there,

I noticed that route filtering (both the "ROUTE_FILTER" option in 
shorewall.conf and the per-interface "routefilter" option in interfaces) 
wasn't working with Shorewall 1.4.7c on kernel 2.4.22.

The kernel documentation (linux/Documentation/networking/ip-sysctl.txt)
says this about route filtering (see the underlined portion):

  rp_filter - BOOLEAN
        1 - do source validation by reversed path, as specified in RFC1812
            Recommended option for single homed hosts and stub network
            routers. Could cause troubles for complicated (not loop free)
            networks running a slow unreliable protocol (sort of RIP),
            or using static routes.

        0 - No source validation.

        conf/all/rp_filter must also be set to TRUE to do source validation
        on the interface

        Default value is 0. Note that some distributions enable it
        in startup scripts.

So in addition to setting each /proc/net/conf/$i/rp_filter to 1 for each
interface $i that I wanted to filter routes, I also needed to set 
/proc/net/conf/all/rp_filter to 1.

What's strange is that just setting /proc/net/conf/{all,default}/rp_filter
to 1 doesn't seem to enable filtering on all interfaces -- you have to 
explicitly enable filtering on each interface.

Furthermore, I needed to issue an "ip route flush cache" command to actually 
cause the kernel to filter routes.

I've attached a patch that implements the above, and it works for me, but YMMV.
The patch has rearranged the original logic a wee bit, so please check!

-------------- next part --------------
--- firewall	2003-09-19 04:45:25.000000000 +0900
+++ firewall.new	2003-10-30 15:24:35.000000000 +0900
@@ -4163,15 +4163,16 @@
 	echo 0 > $f
-    interfaces="`find_interfaces_by_option routefilter`"
+    if [ -n "$ROUTE_FILTER" ]; then
+        interfaces="$all_interfaces default"
+    else
+        interfaces="`find_interfaces_by_option routefilter`"
+    fi
-    if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
+    if [ -n "$interfaces" ]; then
 	echo "Setting up Kernel Route Filtering..."
-	if [ -n "$ROUTE_FILTER" ]; then
-	    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
-	else
-	    for interface in $interfaces; do
+	for interface in $interfaces; do
 		if [ -f $file ]; then
 		    echo 1 > $file
@@ -4179,8 +4180,10 @@
 		    error_message \
 			"Warning: Cannot set route filtering on $interface"
-	    done
-	fi
+	done
+	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+	run_ip route flush cache
     # IP Forwarding

More information about the Shorewall-users mailing list