宁波网站推广有哪些,企业网站合同,一 网站建设的目的和目标,网页设计模板代码免费本文介绍了反向路径转发#xff08;RPF#xff09;是如何在FortiGate上实现的。 它还解释了特定于VDOM的CLI设置“config system settings - set strict-src-check”如何修改RPF行为。 测试场景中使用了以下设置 反向路径过滤器#xff08;又名RPF#xff09;是一种安…本文介绍了反向路径转发RPF是如何在FortiGate上实现的。 它还解释了特定于VDOM的CLI设置“config system settings - set strict-src-check”如何修改RPF行为。 测试场景中使用了以下设置 反向路径过滤器又名RPF是一种安全实施允许根据其源IP地址丢弃传入数据包。 根据路由表检查数据包源IP地址的反向路径即路由到数据包的源IP地址。 根据反向路径过滤器配置数据包可能会被丢弃或转发。 FortiGate只实现了RFC 3704中引用的两种反向路径过滤器即“严格反向路径转发”和“可行路径反向路径转发”。它不实现“松散反向路径转发”也不实现“忽略默认路由的松散反向路径转发”。 VDOM CLI选项“strict-src-check enable|在 “配置系统设置”部分中的“禁用默认禁用”允许在“严格”和“可行路径”之间进行选择。 设置strict-SRC-check禁用默认选项选择“可行路径”行为 设置strict-src-check使能 选择“严格”行为 “严格路径”和“可行路径”的区别 ‘strict’对数据包源IP进行路由查找最佳匹配。如果数据包的传入接口与路由查找选择的接口不匹配则数据包将被丢弃。 “可行路径”不仅考虑最佳匹配路由。其他指向入站接口的路由也会被检查。如果其中一个包含数据包源IP地址即使不是最佳匹配路由则接受数据包。 黑洞路由是一个特例。“严格路径”和“可行路径”RPF路由查找都包括任何活动黑洞路由沿着传入接口路由。如果最佳匹配是黑洞路由则会丢弃流量。在调试流程中这会生成一条“反向路径检查失败”消息类似于反向路径过滤器导致的其他丢弃。 在接口级别禁用RFP检查
config system interfaceedit interfaceset src-check disable
endasymetric routing enable在非对称模式下配置VDOMset asymroute enable是其中之一但它也禁用了可能不需要的数据包状态检查。
strict-src-check disable 添加一个超网路由作为可行补丁。
可以添加一个前缀较大的路由指向数据包流出的接口。由于最佳匹配适用因此将使用最具体的路由来路由数据包。添加此“非优先级”路由以提供“可行路径”。“strict-src-check”应设置为“disable”。 “strict-src-check disable”添加与最佳匹配路由相同的路由相同子网、相同前缀、相同距离但优先级值高于最佳匹配路由。这将强制将该路由作为第二选择注入路由表。 注意事项 优先级越低 越好。如果未定义则默认情况下优先级设置为’0 验证
Examples:
The following examples are provided to highlight the strict-src-check setting.
These examples use several vdoms of the fortigate. Port1 and Port3 are connected with a cross-over cable for the inter-vdom communication.Test traffic :
A telnet is issued from vdom client to vdom server ip address (192.168.3.1).
The flow is diverted by a policy route on vdom traffic toward vdom snat where packet is source-natted with an IP pool (192.168.5.1-10).
Packet is re-injected in traffic vdom with a source ip address of 192.168.5.xFlow :packet leaves client vdom as 192.168.0.1 - 192.168.3.1
packet flows in vdom traffic from interface (p3v84) to (p3v85) and reached vdom snat
packet is source-natted in vdom snat and re-injected to vdom traffic. Packet is now like 192.168.5.X - 192.168.3.1
RPF takes place in vdom traffic.
Different cases are shown below:A vdom traffic configured with strict-src-check disable with a feasible path
RPF is neutralized by a feasible path route 192.168.0.0/16 and packet is expected to flow.Telnet from client vdom is working :FG3K8A-4 (client) # execute telnet 192.168.3.1
FG3K8A-4 login:traffic vdom routing table:FG3K8A-4 (traffic) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGPO - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate defaultS 192.168.0.0/16 [10/0] via 192.168.2.1, p3v86
C 192.168.0.0/24 is directly connected, p3v84
C 192.168.2.0/24 is directly connected, p3v86
C 192.168.3.0/24 is directly connected, p3v87
S 192.168.4.0/24 [10/0] via 192.168.0.1, p3v84
C 192.168.5.0/24 is directly connected, p3v85Debug flow captured in traffic vdom shows the packet path up to server vdom :FG3K8A-4 (traffic) #
id36871 trace_id99 funcresolve_ip_tuple_fast line3785 msgvd-client received a packet(proto6, 192.168.0.1:1111-192.168.3.1:23) from local.
id36871 trace_id99 funcresolve_ip_tuple line3925 msgallocate a new session-0000045b
id36871 trace_id100 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.0.1:1111-192.168.3.1:23) from p3v84.
id36871 trace_id100 funcresolve_ip_tuple line3925 msgallocate a new session-0000045c
id36871 trace_id100 funcvf_ip4_route_input line1591 msgMatch policy routing: to 192.168.5.1 via ifindex-31
id36871 trace_id100 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.5.1 via p3v85
id36871 trace_id100 funcfw_forward_handler line555 msgAllowed by Policy-1:
id36871 trace_id101 funcresolve_ip_tuple_fast line3785 msgvd-snat received a packet(proto6, 192.168.0.1:1111-192.168.3.1:23) from p1v85.
id36871 trace_id101 funcresolve_ip_tuple line3925 msgallocate a new session-0000045d
id36871 trace_id101 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.2.2 via p1v86
id36871 trace_id101 funcget_new_addr line1948 msgfind SNAT: IP-192.168.4.2(from IPPOOL), port-0(fixed port)
id36871 trace_id101 funcfw_forward_handler line555 msgAllowed by Policy-1: SNAT
id36871 trace_id101 func__ip_session_run_tuple line2116 msgSNAT 192.168.0.1-192.168.4.2:1111
id36871 trace_id102 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.4.2:1111-192.168.3.1:23) from p3v86.
id36871 trace_id102 funcresolve_ip_tuple line3925 msgallocate a new session-0000045e
id36871 trace_id102 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.3.1 via p3v87
id36871 trace_id102 funcfw_forward_handler line555 msgAllowed by Policy-2:
id36871 trace_id103 funcresolve_ip_tuple_fast line3785 msgvd-server received a packet(proto6, 192.168.4.2:1111-192.168.3.1:23) from p1v87.B vdom traffic configured with strict-src-check enable.
Strict RPF is expected to drop the packets.configuration is now changed:FG3K8A-4 (traffic) # config system settings
FG3K8A-4 (settings) # set strict-src-check enable
FG3K8A-4 (settings) # endTelnet from client vdom fails:FG3K8A-4 (client) # execute telnet 192.168.3.1
Timeout!Debug flow captured in traffic VDOM shows the packet dropped by the RPF filter.FG3K8A-4 (traffic) #
id36871 trace_id91 funcresolve_ip_tuple_fast line3785 msgvd-client received a packet(proto6, 192.168.0.1:1108-192.168.3.1:23) from local.
id36871 trace_id91 funcresolve_ip_tuple_fast line3825 msgFind an existing session, id-00000391, original direction
id36871 trace_id92 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.0.1:1108-192.168.3.1:23) from p3v84.
id36871 trace_id92 funcresolve_ip_tuple_fast line3825 msgFind an existing session, id-00000392, original direction
id36871 trace_id92 funcipv4_fast_cb line50 msgenter fast path
id36871 trace_id93 funcresolve_ip_tuple_fast line3785 msgvd-snat received a packet(proto6, 192.168.0.1:1108-192.168.3.1:23) from p1v85.
id36871 trace_id93 funcresolve_ip_tuple_fast line3825 msgFind an existing session, id-00000393, original direction
id36871 trace_id93 funcipv4_fast_cb line50 msgenter fast path
id36871 trace_id93 funcip_session_run_all_tuple line4819 msgSNAT 192.168.0.1-192.168.4.2:1108
id36871 trace_id94 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.4.2:1108-192.168.3.1:23) from p3v86.
id36871 trace_id94 funcresolve_ip_tuple line3925 msgallocate a new session-0000039e
id36871 trace_id94 funcip_route_input_slow line1287 msgreverse path check fail(by strict-src-check),dropC vdom traffic configured with strict-src-check disable without a feasible path
strict-src-check is disabled and feasible path is removed. Packet is expected to be dropped by RPF because no feasible path exists.Configuration change (feasible route deleted):FG3K8A-4 (traffic) # config system settings
FG3K8A-4 (settings) # set strict-src-check disable
FG3K8A-4 (settings) # end
FG3K8A-4 (traffic) # config router static
FG3K8A-4 (static) # show
config router staticedit 3set device p3v86set dst 192.168.0.0 255.255.0.0set gateway 192.168.2.1nextedit 2set device p3v84set dst 192.168.4.0 255.255.255.0set gateway 192.168.0.1next
end
FG3K8A-4 (static) # delete 3
FG3K8A-4 (static) # endRouting table:FG3K8A-4 (traffic) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGPO - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate defaultC 192.168.0.0/24 is directly connected, p3v84
C 192.168.2.0/24 is directly connected, p3v86
C 192.168.3.0/24 is directly connected, p3v87
S 192.168.4.0/24 [10/0] via 192.168.0.1, p3v84
C 192.168.5.0/24 is directly connected, p3v85Telnet from client vdom fails:FG3K8A-4 (client) # execute telnet 192.168.3.1
Timeout!Debug flow shows syn packet dropped by RPF because of no feasible path :FG3K8A-4 (traffic) #
id36871 trace_id129 funcresolve_ip_tuple_fast line3785 msgvd-client received a packet(proto6, 192.168.0.1:1113-192.168.3.1:23) from local.
id36871 trace_id129 funcresolve_ip_tuple line3925 msgallocate a new session-000005b7
id36871 trace_id130 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.0.1:1113-192.168.3.1:23) from p3v84.
id36871 trace_id130 funcresolve_ip_tuple line3925 msgallocate a new session-000005b8
id36871 trace_id130 funcvf_ip4_route_input line1591 msgMatch policy routing: to 192.168.5.1 via ifindex-31
id36871 trace_id130 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.5.1 via p3v85
id36871 trace_id130 funcfw_forward_handler line555 msgAllowed by Policy-1:
id36871 trace_id131 funcresolve_ip_tuple_fast line3785 msgvd-snat received a packet(proto6, 192.168.0.1:1113-192.168.3.1:23) from p1v85.
id36871 trace_id131 funcresolve_ip_tuple line3925 msgallocate a new session-000005b9
id36871 trace_id131 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.2.2 via p1v86
id36871 trace_id131 funcget_new_addr line1948 msgfind SNAT: IP-192.168.4.2(from IPPOOL), port-0(fixed port)
id36871 trace_id131 funcfw_forward_handler line555 msgAllowed by Policy-1: SNAT
id36871 trace_id131 func__ip_session_run_tuple line2116 msgSNAT 192.168.0.1-192.168.4.2:1113
id36871 trace_id132 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.4.2:1113-192.168.3.1:23) from p3v86.
id36871 trace_id132 funcresolve_ip_tuple line3925 msgallocate a new session-000005ba
id36871 trace_id132 funcip_route_input_slow line1276 msgreverse path check fail, dropD vdom traffic configured with strict-src-check disable with a second non priority route
In this scenario, 2 routes for 192.168.4.0/24 exist :The preferred one has priority 0 (default). This is the one used for routing and points to a different direction than the one the packet ingress from.
The second one has priority 10 (less preferred), not used for routing because a similar route with lower priority number exists. It points to the interface where our packet comes from. This is the one that neutralizes the RPF filter for the source natted packet.Configuration :config router staticedit 2set device p3v84set dst 192.168.4.0 255.255.255.0set gateway 192.168.0.1nextedit 3set comment neutralize RPF for 192.168.4.0/24set device p3v86set dst 192.168.4.0 255.255.255.0set gateway 192.168.2.1set priority 10next
endRouting table:FG3K8A-4 (static) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGPO - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate defaultC 192.168.0.0/24 is directly connected, p3v84
C 192.168.2.0/24 is directly connected, p3v86
C 192.168.3.0/24 is directly connected, p3v87
S 192.168.4.0/24 [10/0] via 192.168.0.1, p3v84[10/0] via 192.168.2.1, p3v86, [10/0]
C 192.168.5.0/24 is directly connected, p3v85Connection is OK:FG3K8A-4 (client) # execute telnet 192.168.3.1
FG3K8A-4 login:Flow shows packets transmitted :FG3K8A-4 (traffic) # id36871 trace_id145 funcresolve_ip_tuple_fast line3785 msgvd-client received a packet(proto6, 192.168.0.1:1117-192.168.3.1:23) from local.
id36871 trace_id145 funcresolve_ip_tuple line3925 msgallocate a new session-00001d04
id36871 trace_id146 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.0.1:1117-192.168.3.1:23) from p3v84.
id36871 trace_id146 funcresolve_ip_tuple line3925 msgallocate a new session-00001d05
id36871 trace_id146 funcvf_ip4_route_input line1591 msgMatch policy routing: to 192.168.5.1 via ifindex-31
id36871 trace_id146 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.5.1 via p3v85
id36871 trace_id146 funcfw_forward_handler line555 msgAllowed by Policy-1:
id36871 trace_id147 funcresolve_ip_tuple_fast line3785 msgvd-snat received a packet(proto6, 192.168.0.1:1117-192.168.3.1:23) from p1v85.
id36871 trace_id147 funcresolve_ip_tuple line3925 msgallocate a new session-00001d06
id36871 trace_id147 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.2.2 via p1v86
id36871 trace_id147 funcget_new_addr line1948 msgfind SNAT: IP-192.168.4.2(from IPPOOL), port-0(fixed port)
id36871 trace_id147 funcfw_forward_handler line555 msgAllowed by Policy-1: SNAT
id36871 trace_id147 func__ip_session_run_tuple line2116 msgSNAT 192.168.0.1-192.168.4.2:1117
id36871 trace_id148 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.4.2:1117-192.168.3.1:23) from p3v86.
id36871 trace_id148 funcresolve_ip_tuple line3925 msgallocate a new session-00001d07
id36871 trace_id148 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.3.1 via p3v87
id36871 trace_id148 funcfw_forward_handler line555 msgAllowed by Policy-2:
id36871 trace_id149 funcresolve_ip_tuple_fast line3785 msgvd-server received a packet(proto6, 192.168.4.2:1117-192.168.3.1:23) from p1v87.Now, if enabling strict-src-check, RPF drops the packet :configuration :FG3K8A-4 (traffic) # config system settings
FG3K8A-4 (settings) # set strict-src-check enable
FG3K8A-4 (settings) # endFlow showing packet is dropped:FG3K8A-4 (traffic) #id36871 trace_id175 funcresolve_ip_tuple_fast line3785 msgvd-client received a packet(proto6, 192.168.0.1:1119-192.168.3.1:23) from local.
id36871 trace_id175 funcresolve_ip_tuple line3925 msgallocate a new session-00001dd3
id36871 trace_id176 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.0.1:1119-192.168.3.1:23) from p3v84.
id36871 trace_id176 funcresolve_ip_tuple line3925 msgallocate a new session-00001dd4
id36871 trace_id176 funcvf_ip4_route_input line1591 msgMatch policy routing: to 192.168.5.1 via ifindex-31
id36871 trace_id176 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.5.1 via p3v85
id36871 trace_id176 funcfw_forward_handler line555 msgAllowed by Policy-1:
id36871 trace_id177 funcresolve_ip_tuple_fast line3785 msgvd-snat received a packet(proto6, 192.168.0.1:1119-192.168.3.1:23) from p1v85.
id36871 trace_id177 funcresolve_ip_tuple line3925 msgallocate a new session-00001dd5
id36871 trace_id177 funcvf_ip4_route_input line1599 msgfind a route: gw-192.168.2.2 via p1v86
id36871 trace_id177 funcget_new_addr line1948 msgfind SNAT: IP-192.168.4.2(from IPPOOL), port-0(fixed port)
id36871 trace_id177 funcfw_forward_handler line555 msgAllowed by Policy-1: SNAT
id36871 trace_id177 func__ip_session_run_tuple line2116 msgSNAT 192.168.0.1-192.168.4.2:1119
id36871 trace_id178 funcresolve_ip_tuple_fast line3785 msgvd-traffic received a packet(proto6, 192.168.4.2:1119-192.168.3.1:23) from p3v86.
id36871 trace_id178 funcresolve_ip_tuple line3925 msgallocate a new session-00001dd6id36871 trace_id178 funcip_route_input_slow line1287 msgreverse path check fail(by strict-src-check),dropReverse path Forwarding failure drops counter:Below CLI command has a new counter to track and check packet drops due to RPF failures, and is available in FortiOS 7.6 later versions.FortiGate-1# diagnose ip rtcache stats
in_hit: 2483
in_slow_tot: 162
in_slow_mc: 0
in_no_route: 0
in_brd: 4
in_martian_dst: 0
in_martian_src: 2
out_hit: 21813
out_slow_tot: 127
out_slow_mc: 0
gc_total: 0
gc_ignored: 0
gc_goal_miss: 0
gc_dst_overflow: 0
in_hlist_search: 0
out_hlist_search: 12484
reverse_path_check_fail: 875 - RFP failure counter, check if this is incrementing.
