Bingo! With the -t raw, you can bypass the 1.2 Mpps limitation in iptables per cpusocket, because it's doing a very early drop without crossing the full iptables kernel modules.
You can reach close to wrirespeed with the -t raw compare to using the same iptables without -t raw. Jean -----Original Message----- From: NANOG <nanog-bounces+jean=ddostest...@nanog.org> On Behalf Of Fran via NANOG Sent: June 8, 2021 5:39 PM To: nanog@nanog.org Subject: Re: BCP38 on public-facing Ubuntu servers Hey, to my knowledge there is no IPv6 equivalent for net.ipv4.conf.all.rp_filter. Therefore I use netfilter to do the RP filtering for both address families. ip(6)tables -t raw -I PREROUTING -m rpfilter --invert -j DROP Using the raw tables less resources are used, but you could also choose other tables. Details abour rpfilter can be found here [1]. This can also be achieved using nftables [2]. Best Fran [1] https://ipset.netfilter.org/iptables-extensions.man.html#lbBX [2] https://wiki.nftables.org/wiki-nftables/index.php/Matching_routing_information On 04.06.21 20:43, Jay Vosburgh wrote: > Grant Taylor via NANOG <nanog@nanog.org> wrote: > >> On 6/3/21 8:44 AM, William Herrin wrote: >>> rp_filter is great until your network is slightly less than a >>> perfect hierarchy. Then your Linux "router" starts mysteriously >>> dropping packets and, as with allow_local, Linux doesn't have any >>> way to generate logs about it so you end up with these mysteriously >>> unexplained packet discards matching no conceivable rule in >>> iptables... This failure has too often been the bane of my existence >>> when using Linux for advanced networking. >> >> I don't remember the particulars, but I thought that was the domain >> of log_martians (net.ipv4.conf.*.log_martians). >> >> Without log_martians or explicitly looking for such, no, you won't >> get any indication of such drops. > > Yes, enabling the log_martians sysctl will generate a kernel log > message for each rp_filter failure (subject to rate limiting). There > are also stat counters in /proc/net/stat/rt_cache (one line per CPU) > for in_martian_dst and in_martian_src which increment regardless of > the log_martians setting. > > The rp_filter sysctl defaults to strict mode (== 1) on Ubuntu, but > can be set to loose mode (== 2); the difference is, essentially, in > strict mode the reverse path must be the same interface as the ingress > interface, whereas in loose mode the reverse path can be any interface > (as long as the source address is reachable). > > https://www.kernel.org/doc/Documentation/networking/ip-sysctl.rst > > -J > > --- > -Jay Vosburgh, jay.vosbu...@canonical.com >
