Community discussions

MikroTik App
 
sten
Forum Veteran
Forum Veteran
Topic Author
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

rp-filter=loose, including default-route or no?

Tue Nov 13, 2018 1:47 pm

I am terribly sorry if this has been answered before, but i could not find an answer via search or google. Documentation on wiki lacking answer.
/ ip settings rp-filter=loose
Does that match on default-route (0.0.0.0/0) also or only more specific routes?

RFC3704 allows for two different "loose" variants which also does not help to explain based on the wiki.
   o  Loose Reverse Path Forwarding
   o  Loose Reverse Path Forwarding ignoring default routes
The place i want to use it is on a full tabled BGP router (trying to avoid firewall rules for forwarding, trying to achieve fast-path).
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: rp-filter=loose, including default-route or no?

Wed Nov 14, 2018 3:28 pm

RP-filter is security feature AFAIK. And it's looking at source address and best specific route for it in order to process this packet.

strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

I believe that loose mode include default route.
 
sten
Forum Veteran
Forum Veteran
Topic Author
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Re: rp-filter=loose, including default-route or no?

Wed Nov 14, 2018 6:10 pm

I believe that loose mode include default route.
This is exactly why i'm asking. Hoping someone with definitive knowledge will chime in.
 
sten
Forum Veteran
Forum Veteran
Topic Author
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Re: rp-filter=loose, including default-route or no?

Fri Nov 16, 2018 3:44 pm

I believe that loose mode include default route.
I believe you are right. After testing i found that Loose mode with default-route in route table means no real rp-filtering is done. It is possible that it goes through the motions but will always find a route and so will always allow it. How useful that is, is debatable. How you are able to propagate default-route through BGP/IGP from upstream is then also unknown factor.
 
User avatar
blazej44800
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Thu Feb 20, 2014 6:16 pm

Re: rp-filter=loose, including default-route or no?

Thu Dec 23, 2021 9:26 pm

UP

I just tested the behaviour of RP loose mode and it considers default route as normal route. In case default route is installed, loose mode has no sense.
I tried the same on Arista switch and they correctly ignore the default route.
Who wants to join support ticket, PM to me.

SUP-69814
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: rp-filter=loose, including default-route or no?

Wed Jan 12, 2022 6:30 pm

I just tested the behaviour of RP loose mode and it considers default route as normal route. In case default route is installed, loose mode has no sense.
I tried the same on Arista switch and they correctly ignore the default route.
I can see your point, but the default route is a connected route too (and potentially dynamically changing). But even if Mikrotik definition is "wrong", "fp-filter=loose" has included the default route for a very long time, and changing functionality is risky in V6 – since there may be users with fp-filter=loose that expect the current behavor (even if it's potentially wrong).

The firewall can do same functionality is likely why there isn't too much interest. I guess fp-filter=loose might be slightly more performant than using the firewall to implement the same rules, but dunno.

I'd imagine V7 be same, but you could try it that and confirm same behavior?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: rp-filter=loose, including default-route or no?

Wed Jan 12, 2022 9:41 pm

I am not aware of parameter in linux that allows to ignore default route. rp_filter allows to set only disable,strict,loose. There is no other option, so it is what it is.

Who is online

Users browsing this forum: No registered users and 15 guests