0

I have a server running RHEL6.4.

I need to configure .rp_filter sysctl parameter for my server's private interconnect. This server has 2 NICs bonded together. I looked through the documentation and searched online but haven't found conclusive information how exactly it should be configured.

Should I set it on the bonded interface itself?

net.ipv4.conf.bond0.rp_filter = 0

Or should I set it on the 2 physical slave NICs?

net.ipv4.conf.em1.rp_filter = 0
net.ipv4.conf.em2.rp_filter = 0

I can not use net.ipv4.conf.all.rp_filter or net.ipv4.conf.default.rp_filter.

Mxx
  • 2,362
  • 2
  • 28
  • 40
  • I think you should use net.ipv4.conf.bond0.rp_filter because the ip is on bonding interface not in the slaves interaces – c4f4t0r Aug 07 '13 at 22:46
  • Why can't you use net.ipv4.conf.all.rp_filter? – Marki Aug 11 '13 at 14:05
  • @Marki because on some interfaces i need it to be `1` – Mxx Aug 11 '13 at 18:21
  • Ok, so you have other interfaces besides the bond and its slaves. Why not set it for bond0 and the slaves? Why do you think that would that hurt? Since bond0 is probably used in the routing table, I'd guess that would be enough. You could build a test scenario and send some spoofed packets. – Marki Aug 11 '13 at 18:29
  • @Marki I have multiple bonding interfaces. On some I need `0`, on some I need `1`. Well, I'd prefer to know exactly what parameter should be set. Since these servers are in production I can't reboot them multiple times to test. I'm looking for an authoritative answer. – Mxx Aug 11 '13 at 18:42
  • If a reverse path filter is that important, I'd test it out on a test machine anyway. – Marki Aug 11 '13 at 18:47

2 Answers2

2

What's good with open source - you can always refer to the source, if you're in doubt.

A quick search shows that rp_filter is used in function fib_validate_source, which is called only in net/ipv4/route.c, TCP/IP stack implementation for linux.

So rp_filter doesn't do absolutely anything whether it's enabled or not on an interface without IP address configured.

DukeLion
  • 3,259
  • 1
  • 18
  • 19
  • So just to confirm, I should be setting it on bonding interfaces and not underlying slave interface? – Mxx Aug 13 '13 at 00:48
  • 1
    You set it wherever your IP is configured. If you have it bonding interface, then on bondX, if you have bridge of bonds with ip on it - then on the bridge interface. – DukeLion Aug 13 '13 at 05:47
0

Bonding is a layer 2 function; rp_filter is a layer 3 function. So this is probably the wrong question. As @c4f4t0r mentioned, your rp_filter goes where your IP address is.

Paul Gear
  • 4,367
  • 19
  • 38