1 Performs a reverse path filter test on a packet. 2 If a reply to the packet would be sent via the same interface 3 that the packet arrived on, the packet will match. 4 Note that, unlike the in-kernel rp_filter, packets protected 5 by IPSec are not treated specially. Combine this match with 6 the policy match if you want this. 7 Also, packets arriving via the loopback interface are always permitted. 8 This match can only be used in the PREROUTING chain of the raw or mangle table. 9 .TP 10 \fB\-\-loose\fP 11 Used to specify that the reverse path filter test should match 12 even if the selected output device is not the expected one. 13 .TP 14 \fB\-\-validmark\fP 15 Also use the packets' nfmark value when performing the reverse path route lookup. 16 .TP 17 \fB\-\-accept\-local\fP 18 This will permit packets arriving from the network with a source address that is also 19 assigned to the local machine. 20 .TP 21 \fB\-\-invert\fP 22 This will invert the sense of the match. Instead of matching packets that passed the 23 reverse path filter test, match those that have failed it. 24 .PP 25 Example to log and drop packets failing the reverse path filter test: 26 27 iptables \-t raw \-N RPFILTER 28 29 iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN 30 31 iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop" 32 33 iptables \-t raw \-A RPFILTER \-j DROP 34 35 iptables \-t raw \-A PREROUTING \-j RPFILTER 36 37 Example to drop failed packets, without logging: 38 39 iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP 40
