fff-network: Disable source address filtering #127
No reviewers
Labels
No Label
RFC
RFT
WIP
blocked
bsp
bug
build/scripts/tools
duplicate
feature
fixed
layer3
mantis
more details required
needs changes
node
packages/fff
rejected
security
trivial
upstream
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: freifunk-franken/firmware#127
Loading…
Reference in New Issue
No description provided.
Delete Branch "fbl/firmware:rpfilter"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Source address filtering (RFC3704) can be used to mitigate source
address spoofing. However, strict mode only works when routes are
strictly symmetric. If routes are asymmetric, it can happen that
the best route to the source address of a packet is via a different
interface.
Because there is no guarantee that routes have to be symmetric in the
Freifunk Franken backbone network, we cannot use strict mode. Because
default routes are used in the Freifunk Franken backone, loose mode
could be used, but does not make any sense. Instead, revert back to the
kernel default setting, which currently is 0 (disabled).
While this change affects both layer3 and node variant, nothing changes
for the node firmware, because it does not forward packets.
Fixes: #123
Signed-off-by: Fabian Bläse fabian@blaese.de
applied.
Pull request closed