When configuring Linux systems as routers with multiple VLAN interfaces, reverse path filtering (rp_filter) can become particularly tricky. The default behavior in Ubuntu (and most Linux distributions) enables strict reverse path verification on all interfaces, which is generally good for security but can cause problems in specific network architectures.
In VLAN configurations, the relationship between parent interfaces and VLAN sub-interfaces creates additional complexity for rp_filter settings. The kernel's network stack processes packets through multiple layers:
Physical interface (ens20)
├── VLAN interface (ens20.2)
├── VLAN interface (ens20.4)
└── VLAN interface (ens20.10)
The common approach of disabling rp_filter on just one VLAN interface often doesn't work because:
- The parent physical interface still performs filtering
- Kernel may check multiple path validation points
- System-wide all/rp_filter setting overrides individual interfaces
To properly disable rp_filter for only one VLAN interface while keeping it enabled system-wide, you need a multi-step approach:
# Set the global default (optional but recommended)
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Enable rp_filter for all interfaces
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Special case for our specific VLAN interface
echo 0 > /proc/sys/net/ipv4/conf/ens20.4/rp_filter
# Also disable for the parent physical interface
echo 0 > /proc/sys/net/ipv4/conf/ens20/rp_filter
# Make changes persistent across reboots
cat >> /etc/sysctl.conf <After applying these changes, verify with:
sysctl -a | grep \\.rp_filter
ip route get $(ip addr show ens20.4 | grep inet | awk '{print $2}' | cut -d/ -f1)
For testing packet flow, use either tcpdump or a simple ping test:
tcpdump -i ens20.4 icmp
ping -I ens20.4 8.8.8.8
For more complex scenarios, consider using network namespaces to completely isolate the interface requiring relaxed rp_filter:
# Create new namespace
ip netns add special_vlan
# Move interface to namespace
ip link set ens20.4 netns special_vlan
# Configure routing independently
ip netns exec special_vlan ip route add default via 192.168.4.1
When disabling rp_filter on any interface:
- Implement complementary security measures like eBPF filters
- Consider using firewalls (iptables/nftables) to restrict allowed source IPs
- Monitor interface for suspicious traffic patterns
When working with VLAN interfaces on Linux routers, we often encounter a tricky scenario where we need to disable reverse path filtering (rp_filter) for specific interfaces while keeping it active system-wide. The challenge becomes particularly evident when dealing with VLAN sub-interfaces.
The common approach of modifying rp_filter for a single interface often doesn't work because of Linux's network stack behavior with VLAN devices. Here's what's happening under the hood:
# This typically won't work alone for VLAN interfaces
echo 0 > /proc/sys/net/ipv4/conf/ens20.4/rp_filter
The kernel requires additional configuration due to the relationship between VLAN interfaces and their parent devices.
To properly disable rp_filter for a specific VLAN interface while maintaining system security, follow this comprehensive approach:
# Step 1: Disable for the specific VLAN interface
echo 0 > /proc/sys/net/ipv4/conf/ens20.4/rp_filter
# Step 2: Configure the parent physical interface
echo 2 > /proc/sys/net/ipv4/conf/ens20/rp_filter # Loose mode
# Step 3: Ensure all other interfaces maintain strict filtering
for i in $(ls /proc/sys/net/ipv4/conf/ | grep -v ens20.4); do
echo 1 > /proc/sys/net/ipv4/conf/$i/rp_filter
done
# Step 4: Keep global all/rp_filter setting (optional but recommended)
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
To ensure these settings survive reboots, add them to /etc/sysctl.conf or create a custom config file in /etc/sysctl.d/:
# /etc/sysctl.d/10-vlan-rpfilter.conf
net.ipv4.conf.ens20.4.rp_filter = 0
net.ipv4.conf.ens20.rp_filter = 2
net.ipv4.conf.all.rp_filter = 1
After applying changes, verify with:
sysctl -a | grep rp_filter
Test packet flow using tools like hping3 or scapy to confirm the desired behavior.
While relaxing rp_filter on specific interfaces, consider implementing additional security measures:
# Example: Enable martian log for the interface
echo 1 > /proc/sys/net/ipv4/conf/ens20.4/log_martians
# Implement eBPF filtering for advanced control
bpftool prog load filter_spoofed_packets.o /sys/fs/bpf/filter_spoofed
bpftool net attach xdp /sys/fs/bpf/filter_spoofed dev ens20.4
Remember that disabling rp_filter on any interface should be accompanied by proper firewall rules and network segmentation to prevent potential security issues.