[Shorewall-users] Router filtering not working

Eric E. Bowles bowles at VarioSecure.Net
Thu Oct 30 16:01:35 PST 2003


Hi there,

I noticed that route filtering (both the "ROUTE_FILTER" option in 
shorewall.conf and the per-interface "routefilter" option in interfaces) 
wasn't working with Shorewall 1.4.7c on kernel 2.4.22.

The kernel documentation (linux/Documentation/networking/ip-sysctl.txt)
says this about route filtering (see the underlined portion):

  rp_filter - BOOLEAN
        1 - do source validation by reversed path, as specified in RFC1812
            Recommended option for single homed hosts and stub network
            routers. Could cause troubles for complicated (not loop free)
            networks running a slow unreliable protocol (sort of RIP),
            or using static routes.

        0 - No source validation.

        conf/all/rp_filter must also be set to TRUE to do source validation
        on the interface
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

        Default value is 0. Note that some distributions enable it
        in startup scripts.

So in addition to setting each /proc/net/conf/$i/rp_filter to 1 for each
interface $i that I wanted to filter routes, I also needed to set 
/proc/net/conf/all/rp_filter to 1.

What's strange is that just setting /proc/net/conf/{all,default}/rp_filter
to 1 doesn't seem to enable filtering on all interfaces -- you have to 
explicitly enable filtering on each interface.

Furthermore, I needed to issue an "ip route flush cache" command to actually 
cause the kernel to filter routes.

I've attached a patch that implements the above, and it works for me, but YMMV.
The patch has rearranged the original logic a wee bit, so please check!

--eric
-------------- next part --------------
--- firewall	2003-09-19 04:45:25.000000000 +0900
+++ firewall.new	2003-10-30 15:24:35.000000000 +0900
@@ -4163,15 +4163,16 @@
 	echo 0 > $f
     done
 
-    interfaces="`find_interfaces_by_option routefilter`"
+    if [ -n "$ROUTE_FILTER" ]; then
+        interfaces="$all_interfaces default"
+    else
+        interfaces="`find_interfaces_by_option routefilter`"
+    fi
 
-    if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
+    if [ -n "$interfaces" ]; then
 	echo "Setting up Kernel Route Filtering..."
 
-	if [ -n "$ROUTE_FILTER" ]; then
-	    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
-	else
-	    for interface in $interfaces; do
+	for interface in $interfaces; do
 		file=/proc/sys/net/ipv4/conf/$interface/rp_filter
 		if [ -f $file ]; then
 		    echo 1 > $file
@@ -4179,8 +4180,10 @@
 		    error_message \
 			"Warning: Cannot set route filtering on $interface"
 		fi
-	    done
-	fi
+	done
+
+	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+	run_ip route flush cache
     fi
     #
     # IP Forwarding


More information about the Shorewall-users mailing list