Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2
This switches the RFC3704 Reverse Path filtering from Strict mode to Loose mode. The Strict mode breaks some pretty common and reasonable use cases, such as keeping connections via one default route alive after another one appears (e.g. plugging an Ethernet cable when connected via Wi-Fi). The strict filter also makes it impossible for NetworkManager to do connectivity check on a newly arriving default route (it starts with a higher metric and is bumped lower if there's connectivity). Kernel's default is 0 (no filter), but a Loose filter is good enough. The few use cases where a Strict mode could make sense can easily override this. The distributions that don't care about the client use cases and prefer a strict filter could just ship a custom configuration in /usr/lib/sysctl.d/ to override this.
- Loading branch information
230450d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it normal that we set "net.ipv4.conf.all.rp_filter", but did set "net.ipv4.conf.default.rp_filter" (before) ?
just asking (I'm trying to understand)...
230450d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i got
value "2" will be used. right?
230450d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://seclists.org/oss-sec/2019/q4/122
The article above tells of possible VPN attack scenarios, but can think of other protocols too. Think of revering to 1, and not changing to 2 until users definitely understand what they are doing.
230450d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hosts that have multiple routes also have, hopefully, administrators who know what the hell they are doing and will properly add further security measures to their network. How in the world did this ever get committed without ANY DISCUSSION??
So you completely compromise millions of hosts in the process? What the fuck.
CVE aside, this is a horrendously asinine thing to have ever committed.
230450d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this commit should be preseved, as a good reminder that these days gov agencies don't necessarily need to subvert open source projects anymore.
footnotes:
read up on efficiency vs. effectiveness
230450d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's also a reminder of companies are able to rewrite history. Notice the comments are removed.
Seriously considering the access Red Hat and now IBM have to Government systems all over the place, for this to have so little change management process is astounding. Entire threads, gone. I'm honestly amazed @poettering still has commit rights at all.
230450d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thoughts on the whole debacle:
https://github.com/stryngs/hysteria