Darin Perusich wrote:
On Mon, Feb 2, 2015 at 2:31 AM, Per Jessen <per@computer.org> wrote:
Brandon Vincent wrote:
On Sun, Feb 1, 2015 at 1:05 PM, Per Jessen <per@computer.org> wrote:
This is, I think, a rather complex network/TCP issue. If anyone is thoroughly familiar with the workings of the tcp/ip 'rp_filter' setting, this might be a question for you.
Just a guess, but in kernels prior to 2.6.31 the rp_filter for each interface was determined by the logical and of the all value and the value set for the interface [1].
That would suggest that in your old environment no source validation was being performed.
[1]
[http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=27...
Brandon Vincent
Sounds like a pretty good guess to me, thanks!
Also SuSEfirewall2, if enabled, will set the rp_filter=1, plus others, unless you set FW_KERNEL_SECURITY="no". If you change this you'll need to reboot since reloading the firewall will not reset the values.
I don't have SuSEfirewall2 installed.
If you're going to set/mod these values via sysctl set them in /etc/sysctl.conf and don't use /etc/sysctl.d/*.conf files. Values in /etc/sysctl.d/*.conf may be overwritten by system defaults set in /lib/sysctl.d/sysctl.conf as systemd loads /lib/sysctl.d AFTER /etc/sysctl.d/, which is the case for net.ipv4.conf.all.rp_filter=0.
Thanks for the warning, this would likely have caused a bit of hair pulling. (I'd already created the file in /etc/sysctl.d/ .... ) -- Per Jessen, Zürich (-4.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org