enforce strict reverse path filtering via nftables

2025-08-05 04:54:14 -04:00 · 2024-03-23 11:18:02 -04:00 · 2024-03-23 11:18:02 -04:00 · ec2cbbdb4e
commit ec2cbbdb4e
parent 81fa5f8ebd
10 changed files with 31 additions and 0 deletions
--- a/sysctl.d/local.conf
+++ b/sysctl.d/local.conf
@ -28,6 +28,10 @@ net.ipv4.conf.default.accept_redirects = 0
 net.netfilter.nf_conntrack_tcp_loose = 0
 net.netfilter.nf_conntrack_tcp_timeout_established = 14400

+# enforced with nftables to handle both IPv4 and IPv6 in the same way
+net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.*.rp_filter = 0
+
 net.mptcp.enabled = 0

 kernel.yama.ptrace_scope = 2