Permalink
Browse files

sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2

This switches the RFC3704 Reverse Path filtering from Strict mode to Loose
mode. The Strict mode breaks some pretty common and reasonable use cases,
such as keeping connections via one default route alive after another one
appears (e.g. plugging an Ethernet cable when connected via Wi-Fi).

The strict filter also makes it impossible for NetworkManager to do
connectivity check on a newly arriving default route (it starts with a
higher metric and is bumped lower if there's connectivity).

Kernel's default is 0 (no filter), but a Loose filter is good enough. The
few use cases where a Strict mode could make sense can easily override
this.

The distributions that don't care about the client use cases and prefer a
strict filter could just ship a custom configuration in
/usr/lib/sysctl.d/ to override this.
  • Loading branch information...
lkundrak authored and poettering committed Nov 28, 2018
1 parent 0d34228 commit 230450d4e4f1f5fc9fa4295ed9185eea5b6ea16e
Showing with 10 additions and 1 deletion.
  1. +9 −0 NEWS
  2. +1 −1 sysctl.d/50-default.conf
9 NEWS
@@ -70,6 +70,15 @@ CHANGES WITH 240 in spe:
glibc is going to make it available too. This locale enables UTF-8
mode by default, which appears appropriate for 2018.

* The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by
default. This effectively switches the RFC3704 Reverse Path filtering
from Strict mode to Loose mode. This is more appropriate for hosts
that have multiple links with routes to the same networks (e.g.
a client with a Wi-Fi and Ethernet both connected to the internet).

Consult the kernel documetnation for details on this sysctl:
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

CHANGES WITH 239:

* NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
@@ -22,7 +22,7 @@ kernel.sysrq = 16
kernel.core_uses_pid = 1

# Source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.rp_filter = 2

# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0

2 comments on commit 230450d

@antonov-impulsm

This comment has been minimized.

Copy link

antonov-impulsm replied Jan 28, 2019

is it normal that we set "net.ipv4.conf.all.rp_filter", but did set "net.ipv4.conf.default.rp_filter" (before) ?

just asking (I'm trying to understand)...

@antonov-impulsm

This comment has been minimized.

Copy link

antonov-impulsm replied Jan 28, 2019

i got

The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.

value "2" will be used. right?

Please sign in to comment.