From afae794d3090e06661a4125a03158d531fe15f40 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Tue, 11 Mar 2014 15:56:22 -0700 Subject: Add per interface source-validation Signed-off-by: Daniil Baturin --- interface-templates/ip/source-validation/node.def | 34 +++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 interface-templates/ip/source-validation/node.def diff --git a/interface-templates/ip/source-validation/node.def b/interface-templates/ip/source-validation/node.def new file mode 100644 index 00000000..bc93b5a5 --- /dev/null +++ b/interface-templates/ip/source-validation/node.def @@ -0,0 +1,34 @@ +# rp_filter +# default value - 0 +# conf/all/rp_filter and conf/[interface]/rp_filter both must be set to +# a value greater than 0 to do source validation on the interface + + +type: txt + +help: Policy for source validation by reversed path, as specified in RFC3704 + +val_help: strict; Enable Strict Reverse Path Forwarding as defined in RFC3704 +val_help: loose; Enable Loose Reverse Path Forwarding as defined in RFC3704 +val_help: disable; No source validation + +syntax:expression: $VAR(@) in "strict", "loose", "disable"; "source-validation must be set to 'loose', 'strict' or 'disable'" + +update: + if [ x$VAR(@) == xstrict ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/conf/all/rp_filter" + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" + elif [ x$VAR(@) == xloose ]; then + sudo sh -c "echo 2 > \ + /proc/sys/net/ipv4/conf/all/rp_filter" + sudo sh -c "echo 2 > \ + /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/all/rp_filter" + fi + +delete: + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" -- cgit v1.2.3