*** FIRST PROBLEM *** In /etc/init.d/net.eth0 /proc/sys/net/ipv4/conf/${IFACE}/rp_filter is enabled if /etc/sysctl.conf contains any uncommented line containing rp_filter. I suppose the idea is "if the user doesn't express any special wish in /etc/sysctl.conf, let's enable rp_filtering by default". If the idea is this, then /etc/init.d/net.eth0 is unable to accomplish it: for reverse path filtering to be enabled on an interface BOTH /proc/sys/net/ipv4/conf/${IFACE}/rp_filter and /proc/sys/net/ipv4/conf/all/rp_filter must be enabled (see /usr/src/linux/Documentation/networking/ip-sysctl.txt, anyway I did some tests to prove it). A possible solution could be to let /etc/init.d/net.eth0 also set TRUE /proc/sys/net/ipv4/conf/all/rp_filter... but what if an user, ignoring /etc/init.d/net.eth0 logic, would innocently edit /etc/sysctl.conf end set "net.ipv4.conf.all.rp_filter = 1" or "net.ipv4.conf.default.rp_filter = 1" just fo feel safer? If he sets both all and default he's ok, otherwise instead of being safer he will lose reverse path filtering because the code in /etc/init.d/net.eth0 would never be activated (because of uncommented rp_filter line in /etc/sysctl.conf). A better (and moreover clearer to the end-user) solution would be to completely remove the rp_filter logic from /etc/init.d/net.eth0 and simply add "net.ipv4.conf.all.rp_filter = 1" and "net.ipv4.conf.default.rp_filter = 1" as Gentoo defaults in /etc/sysctl.conf. NB: see related bug http://bugs.gentoo.org/show_bug.cgi?id=24235 *** SECOND (related) PROBLEM *** Some of the commented lines in /etc/sysctl.conf are missleading: # Enables source route verification #net.ipv4.conf.default.rp_filter = 1 The user should be warned (in comments) about the inner logic of /etc/init.d/net.eth0 (in case you decide to keep it), moreover you need to also enable net.ipv4.conf.all.rp_filter to get a working reverse path filtering. Finally, I suggest to add these lines to /etc/sysctl.conf (maybe commented) because 99% of the times they are desiderable defaults: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 Reproducible: Always Steps to Reproduce:
Fixed in CVS Will be in baselayout-1.11.7
Fixed in baselayout-1.11.7-r1