Add net.ipv4.conf.all.log_martians=1 in /usr/lib/sysctl.d/50-default.conf ?

[vincentmli]

Is your feature request related to a problem? Please describe.

Linux distributions with systemd has rp_filter enabled in /usr/lib/sysctl.d/50-default.conf

https://github.com/systemd/systemd/blob/main/sysctl.d/50-default.conf#L24-L27

this could cause container networking issue like cilium/cilium#10645

Sometime it is very time consuming to trouble shoot the container networking issue without any clue, without kernel logging of source route verification when rp_filter enabled

Describe the solution you'd like

Since systemd enable rp_filter by default, I suggest systemd also enable net.ipv4.conf.all.log_martians right after rp_filter in /usr/lib/sysctl.d/50-default.conf

Describe alternatives you've considered

The systemd version you checked that didn't have the feature you are asking for

systemd 248 (v248-13.oe1)

[yuwata]

I guess that introduce flood of logs in many systems. Why we need to enable that feature by default??

[bluca]

These can be changed by drop-ins by design, why doesn't cilium do that? Pretty sure we don't want to enable all these logs by default everywhere

[vincentmli]

Yes, Cilium could be improved to overwrite the default rp_filter setting from systemd see cilium/cilium#10645 (comment)

My concern here is distributions ships systemd with the rp_filter default setting, it could break some applications like cilium that may require rp_filter setting disabled, I totally understand that the applications should handle that, and nothing wrong with systemd having rp_filter enabled by default, but from distribution users perspective, since systemd has the rp_filter enabled by default, systemd probably should also has the logging enabled by default to aid users for trouble shooting purpose if some of their applications require rp_filter disabled. it took me two days to recompile Linux kernel multiple times, use scapy, kernel network tracing tool BPF PWRU tools to eventually find out the default systemd rp_filter setting caused this issue ( I was not aware of rp_filter and never dealt with rp_filter before), if systemd also has the logging enabled, since the first thing I would look is kernel log because I suspected something wrong either in the kernel or kernel setting in the beginning, it would save me two days of trouble shooting the issue :)

[bluca]

The default settings installed universally need to make sense in generic use cases. Installing that particular software is not a generic use case, so it should take care itself of adding the drop-ins it requires. This is extensible and customizable easily by default exactly for this purpose.

[vincentmli]

These can be changed by drop-ins by design, why doesn't cilium do that? Pretty sure we don't want to enable all these logs by default everywhere

if your concern is it might cause excessive logging everywhere, then I think rp_filter should be disabled by default in systemd, just my 2 cents from user perspective :)

[vincentmli]

The default settings installed universally need to make sense in generic use cases. Installing that particular software is not a generic use case, so it should take care itself of adding the drop-ins it requires. This is extensible and customizable easily by default exactly for this purpose.

ok, I don't know rp_filter enough and not aware generic rp_filter use case is to be enabled, that make sense to me, then, having logging enabled would assist users for trouble shooting who is completely not aware of rp_filter, I guess maybe distributions could do that, not up to systemd.