fff-network: Disable source address filtering

Source address filtering (RFC3704) can be used to mitigate source
address spoofing. However, strict mode only works when routes are
strictly symmetric. If routes are asymmetric, it can happen that
the best route to the source address of a packet is via a different
interface.

Because there is no guarantee that routes have to be symmetric in the
Freifunk Franken backbone network, we cannot use strict mode. Because
default routes are used in the Freifunk Franken backone, loose mode
could be used, but does not make any sense. Instead, revert back to the
kernel default setting, which currently is 0 (disabled).

While this change affects both layer3 and node variant, nothing changes
for the node firmware, because it does not forward packets.

Fixes: #123

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>

src/packages/fff/fff-network/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-network
-PKG_RELEASE:=34
+PKG_RELEASE:=35
 
 include $(INCLUDE_DIR)/package.mk
 

src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf

@@ -9,9 +9,6 @@ net.ipv4.tcp_syncookies=1
 net.core.netdev_max_backlog=30
 net.netfilter.nf_conntrack_checksum=0
 
-#Controls source route verification
-net.ipv4.conf.default.rp_filter=1
-
 #Do not accept source routing
 net.ipv4.conf.all.accept_source_route=0
 net.ipv4.conf.all.accept_redirects=0