From 3147a33c521a2d8862766b568904f6df775c42de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= Date: Thu, 18 Feb 2021 01:04:28 +0100 Subject: [PATCH] fff-network: Disable source address filtering MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Source address filtering (RFC3704) can be used to mitigate source address spoofing. However, strict mode only works when routes are strictly symmetric. If routes are asymmetric, it can happen that the best route to the source address of a packet is via a different interface. Because there is no guarantee that routes have to be symmetric in the Freifunk Franken backbone network, we cannot use strict mode. Because default routes are used in the Freifunk Franken backone, loose mode could be used, but does not make any sense. Instead, revert back to the kernel default setting, which currently is 0 (disabled). While this change affects both layer3 and node variant, nothing changes for the node firmware, because it does not forward packets. Fixes: #123 Signed-off-by: Fabian Bläse Reviewed-by: Christian Dresel --- src/packages/fff/fff-network/Makefile | 2 +- .../fff/fff-network/files/etc/sysctl.d/50-fff-network.conf | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile index a5b183a7..edf0a4c6 100644 --- a/src/packages/fff/fff-network/Makefile +++ b/src/packages/fff/fff-network/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-network -PKG_RELEASE:=34 +PKG_RELEASE:=35 include $(INCLUDE_DIR)/package.mk diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf index f0ba7a7c..ab536b4b 100644 --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf @@ -9,9 +9,6 @@ net.ipv4.tcp_syncookies=1 net.core.netdev_max_backlog=30 net.netfilter.nf_conntrack_checksum=0 -#Controls source route verification -net.ipv4.conf.default.rp_filter=1 - #Do not accept source routing net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.all.accept_redirects=0