1Performs a reverse path filter test on a packet. 2If a reply to the packet would be sent via the same interface 3that the packet arrived on, the packet will match. 4Note that, unlike the in-kernel rp_filter, packets protected 5by IPSec are not treated specially. Combine this match with 6the policy match if you want this. 7Also, packets arriving via the loopback interface are always permitted. 8This match can only be used in the PREROUTING chain of the raw or mangle table. 9.TP 10\fB\-\-loose\fP 11Used to specifiy that the reverse path filter test should match 12even if the selected output device is not the expected one. 13.TP 14\fB\-\-validmark\fP 15Also use the packets' nfmark value when performing the reverse path route lookup. 16.TP 17\fB\-\-accept\-local\fP 18This will permit packets arriving from the network with a source address that is also 19assigned to the local machine. 20.TP 21\fB\-\-invert\fP 22This will invert the sense of the match. Instead of matching packets that passed the 23reverse path filter test, match those that have failed it. 24.PP 25Example to log and drop packets failing the reverse path filter test: 26 27iptables \-t raw \-N RPFILTER 28 29iptables \-t raw \-A RPFILTER \-m rpfilter \-j RETURN 30 31iptables \-t raw \-A RPFILTER \-m limit \-\-limit 10/minute \-j NFLOG \-\-nflog\-prefix "rpfilter drop" 32 33iptables \-t raw \-A RPFILTER \-j DROP 34 35iptables \-t raw \-A PREROUTING \-j RPFILTER 36 37Example to drop failed packets, without logging: 38 39iptables \-t raw \-A RPFILTER \-m rpfilter \-\-invert \-j DROP 40