How rp_filter works on Linux?

Updated: 5 days ago

Rp_filter is short for reverse path filtering on Linux. We can use this to filter packets on Linux. Here are 5 common questions about rp_filter.

What is rp_filter on Linux?
What is rp_filter on Linux?



What is reverse path filtering?

Reverse path filtering is a mechanism adopted by the Linux kernel, as well as most of the networking devices out there to check whether a receiving packet source address is routable.

So in other words, when a machine with reverse path filtering enabled receives a packet, the machine will first check whether the source of the received packet is reachable through the interface it came in.

If it is routable through the interface which it came, then the machine will accept the packet.

If it is not routable through the interface, which it came, then the machine will drop that packet.

The latest redhat machines will give you one more option. This option is kind of liberal in terms of accepting traffic.

If the recieved packet's source address is routable through any of the interfaces on the machine, the machine will accept the packet.



How to check if reverse path is enabled in Linux?

In Linux machine's Reverse Path filtering is handled by sysctl, like many other kernel settings.

The current value on your machine can be found from the following method.

[root@localhost ~]# cat /proc/sys/net/ipv4/conf/default/rp_filter 
1
 [root@localhost ~]#

Let's understand the boolean values for rp_filter first then go ahead with configuration.

1 indicates, that the kernel will do source validation by confirming reverse path. 0 indicates, no source validation.



How to check if the packet is dropped by reverse path filter?

In RHEL7, we can check this metric.

# netstat -s | grep Filter
ArpFilter: 0
IPReversePathFilter: 80
# netstat -s | grep Filter
ArpFilter: 0
IPReversePathFilter: 84
Between these two commands four packets were discarded by the reverse path filter.


Capture Rp_filter Log

We can enable log_martians and monitor syslog.

sysctl -w net.ipv4.conf.all.log_martians=1
or
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
Monitor syslog with the following command.
tail -f /var/log/messages | grep -B1 martian

Which RP filter should we use in Oracle RAC env?

Red Hat Enterprise Linux 7 defaults to the use of Strict Reverse Path filtering. The reason strict mode is the default is to prevent IP spoofing from Distributed Denial-of-service (DDos) attacks.


However, having strict mode enabled on the private interconnect of an Oracle RAC database cluster may cause disruption of interconnect communication. It is recommended to set the RP_FILTER from strict mode to loose mode. Loosening the security on the private Ethernet interfaces should not be of concern as best practices recommend for an isolated private network that can only communicate between nodes specifically for Oracle's private interconnect.


We got a high interconnect latency issue in our oracle RAC env recently. The ping latency is very high between nodes. It is related to this configuration. After we set it from 1 to 0, the issue is gone. The ping latency betweens Oracle nodes drops a lot. The GC wait is also gone on Oracle database side.




875 views
udemylinux.png

Join our newsletter! Get a free cloud server!  Never miss a post!

Thanks for submitting!