|
|
36e8a3 |
From 75c9af80cf3529c76988451e63f98010c86f48f1 Mon Sep 17 00:00:00 2001
|
|
|
36e8a3 |
From: Lubomir Rintel <lkundrak@v3.sk>
|
|
|
36e8a3 |
Date: Wed, 28 Nov 2018 11:44:20 +0100
|
|
|
36e8a3 |
Subject: [PATCH] sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2
|
|
|
36e8a3 |
|
|
|
36e8a3 |
This switches the RFC3704 Reverse Path filtering from Strict mode to Loose
|
|
|
36e8a3 |
mode. The Strict mode breaks some pretty common and reasonable use cases,
|
|
|
36e8a3 |
such as keeping connections via one default route alive after another one
|
|
|
36e8a3 |
appears (e.g. plugging an Ethernet cable when connected via Wi-Fi).
|
|
|
36e8a3 |
|
|
|
36e8a3 |
The strict filter also makes it impossible for NetworkManager to do
|
|
|
36e8a3 |
connectivity check on a newly arriving default route (it starts with a
|
|
|
36e8a3 |
higher metric and is bumped lower if there's connectivity).
|
|
|
36e8a3 |
|
|
|
36e8a3 |
Kernel's default is 0 (no filter), but a Loose filter is good enough. The
|
|
|
36e8a3 |
few use cases where a Strict mode could make sense can easily override
|
|
|
36e8a3 |
this.
|
|
|
36e8a3 |
|
|
|
36e8a3 |
The distributions that don't care about the client use cases and prefer a
|
|
|
36e8a3 |
strict filter could just ship a custom configuration in
|
|
|
36e8a3 |
/usr/lib/sysctl.d/ to override this.
|
|
|
36e8a3 |
|
|
|
36e8a3 |
Cherry-picked from: 230450d4e4f1f5fc9fa4295ed9185eea5b6ea16e
|
|
|
36e8a3 |
Resolves: #1653824
|
|
|
36e8a3 |
---
|
|
|
36e8a3 |
sysctl.d/50-default.conf | 2 +-
|
|
|
36e8a3 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
36e8a3 |
|
|
|
36e8a3 |
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
|
|
|
36e8a3 |
index e263cf062..b0645f33e 100644
|
|
|
36e8a3 |
--- a/sysctl.d/50-default.conf
|
|
|
36e8a3 |
+++ b/sysctl.d/50-default.conf
|
|
|
36e8a3 |
@@ -22,7 +22,7 @@ kernel.sysrq = 16
|
|
|
36e8a3 |
kernel.core_uses_pid = 1
|
|
|
36e8a3 |
|
|
|
36e8a3 |
# Source route verification
|
|
|
36e8a3 |
-net.ipv4.conf.all.rp_filter = 1
|
|
|
36e8a3 |
+net.ipv4.conf.all.rp_filter = 2
|
|
|
36e8a3 |
|
|
|
36e8a3 |
# Do not accept source routing
|
|
|
36e8a3 |
net.ipv4.conf.all.accept_source_route = 0
|