diff options
| author | Alin Nastac <alin.nastac@gmail.com> | 2017-06-16 14:16:07 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2017-12-13 16:23:38 +0100 |
| commit | c86490605c5511e88093d3584dc9a277afcb9d6d (patch) | |
| tree | c5f2c75f096cb0de17954906739fd9ee1f8bd8ef /include | |
| parent | ea23ba9a250714302e9fc21bfc52293b3cddfddd (diff) | |
| download | upstream-c86490605c5511e88093d3584dc9a277afcb9d6d.tar.gz upstream-c86490605c5511e88093d3584dc9a277afcb9d6d.tar.bz2 upstream-c86490605c5511e88093d3584dc9a277afcb9d6d.zip | |
netfilter: add iptables-mod-rpfilter package
Unlike /proc/sys/net/ipv4/conf/INTF/rp_filter flag, rule iptables -t raw
-I PREROUTING -m rpfilter --invert -j DROP prevents conntrack table to
become full when a packet flood with randomly selected source IP addresses
is received from the lan side.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
(cherry picked from commit d8748e537f11ab5f2b5e2ed25d94baa5ce353984)
Diffstat (limited to 'include')
| -rw-r--r-- | include/netfilter.mk | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/netfilter.mk b/include/netfilter.mk index c408ac68ca..ac1e1899c7 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -106,6 +106,8 @@ $(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_stri $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_DSCP, $(P_XT)xt_dscp)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_TARGET_DSCP, $(P_XT)xt_DSCP)) $(eval $(call nf_add,IPT_HASHLIMIT,CONFIG_NETFILTER_XT_MATCH_HASHLIMIT, $(P_XT)xt_hashlimit)) +$(eval $(call nf_add,IPT_RPFILTER,CONFIG_IP_NF_MATCH_RPFILTER, $(P_V4)ipt_rpfilter)) +$(eval $(call nf_add,IPT_RPFILTER,CONFIG_IP6_NF_MATCH_RPFILTER, $(P_V6)ip6t_rpfilter)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_LENGTH, $(P_XT)xt_length)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_STATISTIC, $(P_XT)xt_statistic)) $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TCPMSS, $(P_XT)xt_tcpmss)) |