近期发现Ubuntu基于ip rule add fwmark … lookup …所做的策略路由无法正常使用,而Debian正常。抓包的特征就是,出网数据包能应用到策略路由,也能抓到回应的数据包,但回应的数据包被内核丢弃,不会送达user space。
而ip rule add from … lookup …则正常。
查找资料得知是rp_filter的影响(见此:https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt),继而发现Ubuntu的/etc/sysctl.d是有以下这个文件的:
1 2 3 4 5 6 7 8 9 10 11 12 |
~# cat /etc/sysctl.d/10-network-security.conf # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks. net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss # of TCP functionality/features under normal conditions. When flood # protections kick in under high unanswered-SYN load, the system # should remain more stable, with a trade off of some loss of TCP # functionality/features (e.g. TCP Window scaling). net.ipv4.tcp_syncookies=1 |
编辑/etc/sysctl.d/10-network-security.conf,把net.ipv4.conf.default.rp_filter以及net.ipv4.conf.all.rp_filter改成2,然后应用:
1 2 3 4 5 6 7 |
~# sysctl --system ... * Applying /etc/sysctl.d/10-network-security.conf ... net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.all.rp_filter = 2 net.ipv4.tcp_syncookies = 1 ... |