sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2 by lkundrak · Pull Request #10971

sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2 by lkundrak · Pull Request #10971 · systemd/systemd

Conversation

This switches the RFC3704 Reverse Path filtering from Strict mode to Loose
mode. The Strict mode breaks some pretty common and reasonable use cases,
such as keeping connections via one default route alive after another one
appears (e.g. plugging an Ethernet cable when connected via Wi-Fi).

The strict filter also makes it impossible for NetworkManager to do
connectivity check on a newly arriving default route (it starts with a
higher metric and is bumped lower if there's connectivity).

Kernel's default is 0 (no filter), but a Loose filter is good enough. The
few use cases where a Strict mode could make sense can easily override
this.

The distributions that don't care about the client use cases and prefer a
strict filter could just ship a custom configuration in
/usr/lib/sysctl.d/ to override this.

fdo-mirror pushed a commit to freedesktop/NetworkManager that referenced this issue

Dec 13, 2018

Don't let NetworkManager change rp_filter sysctl [1]. By default, various
distributions set rp_filter rather strict. That works badly, in common cases
where the user connects multiple interfaces to the same IP network (for
example, using Wi-Fi and ethernet in your home network). It also confuses
connectivity checking. For that reason, NetworkManager would loosen the
rp_filter setting.

However, that was not configurable and users who really wanted a strict
setting could not prevent NetworkManager from doing it ([2], [3], [4]).

Hence it was decided, that a better solution is for NetworkManager not
to do anything about rp_filter. Instead, distibutions should not enable
it strictly (or at least, only for certain setups where it makes sense
-- if it ever makes sense) ([5], [6]);

Disble this behavior for the moment. In the future, the code will be
removed entirely.

[1] https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1492472
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1593194
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1651097
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1653824
[6] systemd/systemd#10971

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1651097

fdo-mirror pushed a commit to freedesktop/NetworkManager that referenced this issue

Dec 13, 2018

Don't let NetworkManager change rp_filter sysctl [1]. By default, various
distributions set rp_filter rather strict. That works badly, in common cases
where the user connects multiple interfaces to the same IP network (for
example, using Wi-Fi and ethernet in your home network). It also confuses
connectivity checking. For that reason, NetworkManager would loosen the
rp_filter setting.

However, that was not configurable and users who really wanted a strict
setting could not prevent NetworkManager from doing it ([2], [3], [4]).

Hence it was decided, that a better solution is for NetworkManager not
to do anything about rp_filter. Instead, distibutions should not enable
it strictly (or at least, only for certain setups where it makes sense
-- if it ever makes sense) ([5], [6]);

Disble this behavior for the moment. In the future, the code will be
removed entirely.

[1] https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1492472
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1593194
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1651097
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1653824
[6] systemd/systemd#10971

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1651097
(cherry picked from commit b1082aa)

lucab mentioned this pull request

Jul 18, 2019

lucab mentioned this pull request

Jul 24, 2019