Changing the rp_filter default in Ubuntu from strict to loose?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Changing the rp_filter default in Ubuntu from strict to loose?

Sebastien Bacher
Hey there,

The new network-manager in disco does connectivity checking
per-device/connection type which doesn't play nicely with th rp_filter=1
default that procps sets in Ubuntu

The details of the discussions in
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/116
but a summary is

'it uses libcurl and binds the HTTP request to the device, using the
SO_BINDTODEVICE socket option. rc_filter=1 rejects all incoming packets,
if the sender wouldn't also be reached via that device. It thus
counteracts SO_BINDTODEVICE.'

Basically those are conflicting so we need to either disable the
connectivity checker or change the rp_filter default. It looks like
systemd upstream and fedora already decided to change to default to
rp_filter=2 (loose)
https://github.com/systemd/systemd/commit/230450d4

Can we do the same in Ubuntu?


Cheers,
Sebastien Bacher



--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Changing the rp_filter default in Ubuntu from strict to loose?

Marc Deslauriers-3
On 2019-02-07 11:35 a.m., Sebastien Bacher wrote:

> Hey there,
>
> The new network-manager in disco does connectivity checking
> per-device/connection type which doesn't play nicely with th rp_filter=1
> default that procps sets in Ubuntu
>
> The details of the discussions in
> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/116
> but a summary is
>
> 'it uses libcurl and binds the HTTP request to the device, using the
> SO_BINDTODEVICE socket option. rc_filter=1 rejects all incoming packets,
> if the sender wouldn't also be reached via that device. It thus
> counteracts SO_BINDTODEVICE.'
>
> Basically those are conflicting so we need to either disable the
> connectivity checker or change the rp_filter default. It looks like
> systemd upstream and fedora already decided to change to default to
> rp_filter=2 (loose)
> https://github.com/systemd/systemd/commit/230450d4
>
> Can we do the same in Ubuntu?
>
>
> Cheers,
> Sebastien Bacher
>
>
>

Loose is reasonable. +1 from me.

Marc.


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Changing the rp_filter default in Ubuntu from strict to loose?

Sebastien Bacher
Le 07/02/2019 à 17:47, Marc Deslauriers a écrit :
> Loose is reasonable. +1 from me.

Thanks, Mark, I've uploaded that to disco now!
https://launchpad.net/ubuntu/+source/procps/2:3.3.15-2ubuntu2

Cheers,
Sebastien Bacher


--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel