From 818d0d1210d72483df7ff3961246b730ef913274 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= Date: Thu, 18 Feb 2021 01:04:28 +0100 Subject: [PATCH] fff-network: Disable source address filtering MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Source address filtering (RFC3704) can be used to mitigate source address spoofing. However, strict mode only works when routes are strictly symmetric. If routes are asymmetric, it can happen that the best route to the source address of a packet is via a different interface. Because there is no guarantee that routes have to be symmetric in the Freifunk Franken backbone network, we cannot use strict mode. Because default routes are used in the Freifunk Franken backone, loose mode could be used, but does not make any sense. Instead, revert back to the kernel default setting, which currently is 0 (disabled). While this change affects both layer3 and node variant, nothing changes for the node firmware, because it does not forward packets. Fixes: #123 Signed-off-by: Fabian Bläse --- src/packages/fff/fff-network/Makefile | 2 +- .../fff/fff-network/files/etc/sysctl.d/50-fff-network.conf | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile index c97a816a..21af16af 100644 --- a/src/packages/fff/fff-network/Makefile +++ b/src/packages/fff/fff-network/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-network -PKG_RELEASE:=31 +PKG_RELEASE:=32 include $(INCLUDE_DIR)/package.mk diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf index f0ba7a7c..ab536b4b 100644 --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf @@ -9,9 +9,6 @@ net.ipv4.tcp_syncookies=1 net.core.netdev_max_backlog=30 net.netfilter.nf_conntrack_checksum=0 -#Controls source route verification -net.ipv4.conf.default.rp_filter=1 - #Do not accept source routing net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.all.accept_redirects=0