DevHeads.net

Changing the rp_filter default in Ubuntu from strict to loose?

Hey there,

The new network-manager in disco does connectivity checking
per-device/connection type which doesn't play nicely with th rp_filter=1
default that procps sets in Ubuntu

The details of the discussions in
<a href="https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/116" title="https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/116">https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/116</a>
but a summary is

'it uses libcurl and binds the HTTP request to the device, using the
SO_BINDTODEVICE socket option. rc_filter=1 rejects all incoming packets,
if the sender wouldn't also be reached via that device. It thus
counteracts SO_BINDTODEVICE.'

Basically those are conflicting so we need to either disable the
connectivity checker or change the rp_filter default. It looks like
systemd upstream and fedora already decided to change to default to
rp_filter=2 (loose)
<a href="https://github.com/systemd/systemd/commit/230450d4" title="https://github.com/systemd/systemd/commit/230450d4">https://github.com/systemd/systemd/commit/230450d4</a>

Can we do the same in Ubuntu?

Cheers,
Sebastien Bacher

Comments

Re: Changing the rp_filter default in Ubuntu from strict to loos

By Marc Deslauriers at 02/07/2019 - 11:47

On 2019-02-07 11:35 a.m., Sebastien Bacher wrote:
Loose is reasonable. +1 from me.

Marc.

Re: Changing the rp_filter default in Ubuntu from strict to loos

By Sebastien Bacher at 02/07/2019 - 17:48

Le 07/02/2019 à 17:47, Marc Deslauriers a écrit :
Thanks, Mark, I've uploaded that to disco now!
<a href="https://launchpad.net/ubuntu/+source/procps/2:3.3.15-2ubuntu2" title="https://launchpad.net/ubuntu/+source/procps/2:3.3.15-2ubuntu2">https://launchpad.net/ubuntu/+source/procps/2:3.3.15-2ubuntu2</a>

Cheers,
Sebastien Bacher