Rp_filter is short for reverse path filtering on Linux. We can use this to filter packets on Linux. Here are 5 common questions about rp_filter.
What is reverse path filtering?
Reverse path filtering is a mechanism adopted by the Linux kernel, as well as most of the networking devices out there to check whether a receiving packet source address is routable.
So in other words, when a machine with reverse path filtering enabled receives a packet, the machine will first check whether the source of the received packet is reachable through the interface it came in.
If it is routable through the interface which it came, then the machine will accept the packet.
If it is not routable through the interface, which it came, then the machine will drop that packet.
The latest redhat machines will give you one more option. This option is kind of liberal in terms of accepting traffic.
If the recieved packet’s source address is routable through any of the interfaces on the machine, the machine will accept the packet.
How to check if reverse path is enabled in Linux?
In Linux machine’s Reverse Path filtering is handled by sysctl, like many other kernel settings.
The current value on your machine can be found from the following method.
[root@localhost ~]# cat /proc/sys/net/ipv4/conf/default/rp_filter
Let’s understand the boolean values for rp_filter first then go ahead with configuration.
1 indicates, that the kernel will do source validation by confirming reverse path. 0 indicates, no source validation.
How to check if the packet is dropped by reverse path filter?
In RHEL7, we can check this metric.
# netstat -s | grep Filter
# netstat -s | grep Filter
Between these two commands four packets were discarded by the reverse path filter.
Capture Rp_filter Log
We can enable log_martians and monitor syslog.
- sysctl -w net.ipv4.conf.all.log_martians=1
- echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
We can monitor syslog with the following command.
- tail -f /var/log/messages | grep -B1 martian
Which RP filter should we use in Oracle RAC env?
Red Hat Enterprise Linux 7 defaults to the use of Strict Reverse Path filtering. The reason strict mode is the default is to prevent IP spoofing from Distributed Denial-of-service (DDos) attacks.
However, having strict mode enabled on the private interconnect of an Oracle RAC database cluster may cause disruption of interconnect communication. It is recommended to set the RP_FILTER from strict mode to loose mode. Loosening the security on the private Ethernet interfaces should not be of concern as best practices recommend for an isolated private network that can only communicate between nodes specifically for Oracle’s private interconnect.
Example of Rp filter in Oracle RAC env
We got a high interconnect latency issue in our oracle RAC env recently. The ping latency is very high between nodes. It is related to this configuration. After we set it from 1 to 0, the issue is gone. The ping latency betweens Oracle nodes drops a lot. The GC wait is also gone on Oracle database side.