How can I know if there is any packet discarded by strict filtering.

Environment

• Red Hat Enterprise Linux 7, 8, 9

Issue

• How can I know if there is any packet discarded by strict filtering (when rp_filter=1).
• Will syslog output messages when rp_filter discarded packets.

Resolution

The following 2 ways can be used to check if there is any packet discarded by rp_filter.

• Check the IPReversePathFilter SNMP counter.

# nstat -s | grep IPReversePathFilter
TcpExtIPReversePathFilter       68                 0.0

• Enable log_martians.
  By default, syslog will not output any messages for rp_filter. You need to enable log_martians to log this event. But note, with log_martians enabled, all martian packets will be logged not just the packets ignored by rp_filter.
  About martian packets, further check Why do I see "martian source" logs in the messages file ?

# sysctl -a | grep "log_martians"
# echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians

After enabled log_martians, you will see the "martian source" messages when rp_filter discarded packets.

Dec 16 13:44:18 localhost kernel: IPv4: martian source <local ip address> from <source ip address>, on dev XX

Diagnostic Steps

• When log_martians is enabled , it will log every discarded packet as a single message.

# nstat -s | grep IPReversePathFilter
TcpExtIPReversePathFilter       55                 0.0

Link down one of NICs.

# nstat -s | grep IPReversePathFilter
TcpExtIPReversePathFilter       68                 0.0

# grep "martian source" /var/log/messages | wc -l
13

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.