Reverse path filtering must be globally disabled

[yoelcaspersen]

To receive and forward a DHCP packet arriving on an unnumbered VLAN interface, reverse path filtering (RPF) must be globally disabled:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

Disabling RPF on individual interfaces doesn't work - the packet is dropped and shows up in the martian log.

If an IPv4 address is added on the VLAN interface, disabling RPF on that single VLAN interface works, and the packet is forwarded - but that doesn't help us, as VLAN interfaces must be unnumbered if we want multiple customers to share the same IPv4 subnet and default gateway address (which is necessary to save IPv4 space).

Disabling RPF globally doesn't seem right - please let me know if you have any better ideas.

[tohojo]

Yoel Caspersen ***@***.***> writes:

To receive and forward a DHCP packet arriving on an unnumbered VLAN interface, reverse path filtering (RPF) must be globally disabled: `echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter` Disabling RPF on individual interfaces doesn't work - the packet is dropped and shows up in the martian log.

That's because the maximum value from the global and the per-interface value is used...

If an IPv4 address is added on the VLAN interface, disabling RPF on that single VLAN interface works, and the packet is forwarded - but that doesn't help us, as VLAN interfaces must be unnumbered if we want multiple customers to share the same IPv4 subnet and default gateway address (which is necessary to save IPv4 space). Disabling RPF globally doesn't seem right - please let me know if you have any better ideas.

Isn't it enough to just set it to '2'? That way packets should be allowed if there is *any* valid route to the source, so having a covering prefix configured on some interface should be enough?