71971 – rp_filter not properly activated in /etc/init.d/net.eth0

Bug 71971 - rp_filter not properly activated in /etc/init.d/net.eth0

Summary: rp_filter not properly activated in /etc/init.d/net.eth0

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:	InVCS

Depends on:
Blocks:	66472
	Show dependency tree

Reported:	2004-11-21 10:56 UTC by Alessandro Zarrilli
Modified:	2016-06-17 16:04 UTC (History)
CC List:	0 users

See Also:	24235 586210
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alessandro Zarrilli 2004-11-21 10:56:12 UTC

*** FIRST PROBLEM ***
In /etc/init.d/net.eth0 /proc/sys/net/ipv4/conf/${IFACE}/rp_filter is enabled if /etc/sysctl.conf contains any uncommented line containing rp_filter. I suppose the idea is "if the user doesn't express any special wish in /etc/sysctl.conf, let's enable rp_filtering by default". If the idea is this, then /etc/init.d/net.eth0 is unable to accomplish it: for reverse path filtering to be enabled on an interface BOTH /proc/sys/net/ipv4/conf/${IFACE}/rp_filter and /proc/sys/net/ipv4/conf/all/rp_filter must be enabled (see /usr/src/linux/Documentation/networking/ip-sysctl.txt, anyway I did some tests to prove it).

A possible solution could be to let /etc/init.d/net.eth0 also set TRUE
/proc/sys/net/ipv4/conf/all/rp_filter... but what if an user, ignoring /etc/init.d/net.eth0 logic, would innocently edit /etc/sysctl.conf end set "net.ipv4.conf.all.rp_filter = 1" or "net.ipv4.conf.default.rp_filter = 1" just fo feel safer? If he sets both all and default he's ok, otherwise instead of being safer he will lose reverse path filtering because the code in /etc/init.d/net.eth0 would never be activated (because of uncommented rp_filter line in /etc/sysctl.conf).

A better (and moreover clearer to the end-user) solution would be to completely remove the rp_filter logic from /etc/init.d/net.eth0 and simply add "net.ipv4.conf.all.rp_filter = 1" and "net.ipv4.conf.default.rp_filter = 1" as Gentoo defaults in /etc/sysctl.conf.

NB: see related bug http://bugs.gentoo.org/show_bug.cgi?id=24235



*** SECOND (related) PROBLEM ***
Some of the commented lines in /etc/sysctl.conf are missleading:

# Enables source route verification
#net.ipv4.conf.default.rp_filter = 1

The user should be warned (in comments) about the inner logic of /etc/init.d/net.eth0 (in case you decide to keep it), moreover you need to also enable net.ipv4.conf.all.rp_filter to get a working reverse path filtering.

Finally, I suggest to add these lines to /etc/sysctl.conf (maybe commented) because 99% of the times they are desiderable defaults:

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1

Reproducible: Always
Steps to Reproduce:

Comment 1 Roy Marples (RETIRED) gentoo-dev

2004-11-23 08:25:45 UTC

Fixed in CVS

Will be in baselayout-1.11.7

Comment 2 Roy Marples (RETIRED) gentoo-dev

2004-12-04 03:51:49 UTC

Fixed in baselayout-1.11.7-r1