Voxel rpfilter (reverse path filtering

[HELLO_wORLD]

Hi all,

I realized that sysctl net.ipv4.conf.*.rp_filter which perform reverse path filtering to detect invalid source address is set to 0 on my R7800. That seems strange for a router.

It can be turned on changing sysctl settings, but:

1) sysctl method is now deprecated and work only for IPv4.
2) a "rpfilter" kernel module is available since Linux 3.3 and iptables 1.4.13 which allow to perform reverse path filtering within iptables for IPv4 but also IPv6.

Like:

iptables -A PREROUTING -t raw -m rpfilter --invert -j DROP
ip6tables -A PREROUTING -t raw -m rpfilter --invert -j DROP

However, this module does not exist in our firmwares:
ip6tables v1.8.7 (legacy): Couldn't load match `rpfilter':No such file or directory (same with iptables).

@Voxel : Is it possible (and simple) to include the rpfilter .ko module in /lib/modules/3.4.103/ ?

 

[Voxel]

However, this module does not exist in our firmwares:
ip6tables v1.8.7 (legacy): Couldn't load match `rpfilter':No such file or directory (same with iptables).

@Voxel : Is it possible (and simple) to include the rpfilter .ko module in /lib/modules/3.4.103/ ?

Only modules would not be enough. Please test https://www.voxel-firmware.com/Downloads/rpfilter-r7800.tar.gz

drwxr-xr-x root/root         0 2021-03-10 20:52 etc/
drwxr-xr-x root/root         0 2021-03-10 20:52 etc/modules.d/
-rw-r--r-- root/root        27 2021-03-10 20:41 etc/modules.d/45-ipt-rpfilter
drwxr-xr-x root/root         0 2021-03-10 20:51 lib/
drwxr-xr-x root/root         0 2021-03-10 20:51 lib/modules/
drwxr-xr-x root/root         0 2021-03-10 20:51 lib/modules/3.4.103/
-rw-r--r-- root/root      3904 2021-03-10 19:59 lib/modules/3.4.103/ipt_rpfilter.ko
-rw-r--r-- root/root      3988 2021-03-10 19:59 lib/modules/3.4.103/ip6t_rpfilter.ko
drwxr-xr-x root/root         0 2021-03-10 20:52 usr/
drwxr-xr-x root/root         0 2021-03-10 20:52 usr/lib/
drwxr-xr-x root/root         0 2021-03-10 20:52 usr/lib/iptables/
-rwxr-xr-x root/root      7440 2021-03-10 20:18 usr/lib/iptables/libxt_rpfilter.so

Voxel.

 

[HELLO_wORLD]

Only modules would not be enough. Please test https://www.voxel-firmware.com/Downloads/rpfilter-r7800.tar.gz

drwxr-xr-x root/root         0 2021-03-10 20:52 etc/
drwxr-xr-x root/root         0 2021-03-10 20:52 etc/modules.d/
-rw-r--r-- root/root        27 2021-03-10 20:41 etc/modules.d/45-ipt-rpfilter
drwxr-xr-x root/root         0 2021-03-10 20:51 lib/
drwxr-xr-x root/root         0 2021-03-10 20:51 lib/modules/
drwxr-xr-x root/root         0 2021-03-10 20:51 lib/modules/3.4.103/
-rw-r--r-- root/root      3904 2021-03-10 19:59 lib/modules/3.4.103/ipt_rpfilter.ko
-rw-r--r-- root/root      3988 2021-03-10 19:59 lib/modules/3.4.103/ip6t_rpfilter.ko
drwxr-xr-x root/root         0 2021-03-10 20:52 usr/
drwxr-xr-x root/root         0 2021-03-10 20:52 usr/lib/
drwxr-xr-x root/root         0 2021-03-10 20:52 usr/lib/iptables/
-rwxr-xr-x root/root      7440 2021-03-10 20:18 usr/lib/iptables/libxt_rpfilter.so

Voxel.

You simply rock @Voxel

root@HERMES:/$ cd /
root@HERMES:/$ wget -qO- https://www.voxel-firmware.com/Downloads/rpfilter-r7800.tar.gz | tar -xvzf -
root@HERMES:/$ insmod /lib/modules/3.4.103/ipt_rpfilter.ko
root@HERMES:/$ insmod /lib/modules/3.4.103/ip6t_rpfilter.ko
root@HERMES:/$ lsmod | grep rpfilter
ip6t_rpfilter 1259 0 - Live 0xbf00e000
ipt_rpfilter 1283 0 - Live 0xbf002000
root@HERMES:/$ ip6tables -A PREROUTING -t raw -m rpfilter --invert -j DROP
root@HERMES:/$ ip6tables -t raw -S                                        
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -m rpfilter --invert -j DROP
root@HERMES:/$ ip6tables -t raw -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere             rpfilter invert

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@HERMES:/$

 

[Voxel]

So what's the next? Tar above was something like "on-the fly" created by me to test. Do you need rpfilter? It requires changes in kernel config, packages/kernel Makefile, iptables Makefile... NG/DNI did not need/use rpfilter... For R7800/R900/ORBI: not...

Voxel.

 

[HELLO_wORLD]

So what's the next? Tar above was something like "on-the fly" created by me to test. Do you need rpfilter? It requires changes in kernel config, packages/kernel Makefile, iptables Makefile... NG/DNI did not need/use rpfilter... For R7800/R900/ORBI: not...

Voxel.

Well, if it is easy, it would be nice to have this option in our routers.
Reverse path filtering is a standard modern module and an extra security that advanced users might want to use in their custom iptables.

sysctl does have rp_filter, but as I said, it is deprecated and IPv4 only. Typical of NG that does not care about updating its firmwares.

 

[Voxel]

OK.

Kernel config: Add IP_NF_MATCH_RPFILTER/IP6_NF_MATCH_RPFILTER · SVoxel/R7800@b298ae6

Custom firmware build for R7800. Contribute to SVoxel/R7800 development by creating an account on GitHub.

github.com

iptables: add iptables-mod-rpfilter plugin · SVoxel/R7800@d606d0b

Custom firmware build for R7800. Contribute to SVoxel/R7800 development by creating an account on GitHub.

github.com

Well, if it is easy, it would be nice to have this option in our routers.

It looks as easy but... You know.

Voxel.

 

[HELLO_wORLD]

A note about using rpfilter:

If you are planning to use the common rule:
iptables -t raw -A PREROUTING -m rpfilter --invert -j DROP

This will block any DHCP request from LAN, as 0.0.0.0 (source address from DHCP client on LAN) will be considered non routable to br0 (that is true, and DHCP server answers to broadcast 255.255.255.255 and not 0.0.0.0)
One solution is this:

iptables -t raw -A PREROUTING -s 0.0.0.0/32 -i br0 -j ACCEPT
iptables -t raw -A PREROUTING -m rpfilter --invert -j DROP

It can also be narrowed down by moving the rule to the mangle table and accept udp 0.0.0.0:68 from br0

No need for such rule for IPv6. DHCP transaction on LAN seems to work fine with rule:
ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP