The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
To mean the max of net net.ipv4.conf.all.rp_filter and net.ipv4.conf.interface.rp_filter will be used.
So loose overrides strict overrides none.
However if
net.ipv4.conf.all.rp_filter = 1
is set before any interfaces are created then that value will also be used as the per interface value,
which is why /usr/lib/sysctl.d/50-default.conf only needs to set one value.
Edit:
Wireguard discussion referencing the same nft FIB filtering https://lore.kernel.org/wireguard/860fe … gmail.com/
net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.enp10s.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.other_network_interface.rp_filter = 1
If you want the value to be 1 for all interfaces, then just set net.ipv4.conf.all.rp_filter. Or alternatively net.ipv4.conf.default.rp_filter and reboot. The biggest value between net.ipv4.conf.interface and net.ipv4.conf.all wins, read https://www.kernel.org/doc/Documentatio … sysctl.txt . I wanted to write "strongest value" not "biggest value", but rereading the docs, it says "max value", so I'm not that certain anymore.
sysctl -a 2>/dev/null | grep "\.rp_filter"
sysctl(8) supports regex pattern matching:
sysctl -ar '\.rp_filter'
If I understand correctly, net.ipv4.conf.*.rp_filter only affects IPv4, for IPv6 you need firewall rules.
It looks like the nft(8) man page has examples for rpfilter and strong host model. Though I'm not sure what should be their exact placement. And they're also bound to break something.
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp10s.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.other_network_interface.rp_filter = 1
and restart service/reboot machine.
Test by:
sysctl -a 2>/dev/null | grep "\.rp_filter"