This is, I think, a rather complex network/TCP issue. If anyone is thoroughly familiar with the workings of the tcp/ip 'rp_filter' setting, this might be a question for you. I am slowly beginning to migrate a test environment from openSUSE 11.0 to openSUSE 13.[12] (xen). In the PREV setting, I am running kernel 2.6.25.5-1.1-pae (on real iron), in the NEXT setting I am running 3.16.7-7-xen (virtual). In the PREV setting, I have the following: # cat /proc/sys/net/ipv4/conf/*/rp_filter 1 0 0 0 0 0 0 0 I.e. /proc/sys/net/ipv4/conf/all/rp_filter = 1. In the NEXT setting, I started with the same, but this prevented normal operation. Instead I had to change to: /proc/sys/net/ipv4/conf/ipip0/rp_filter = 2 /proc/sys/net/ipv4/conf/ipip1/rp_filter = 2 I'll be happy to explain the details of network setup (involves lvs, ipip tunnels and some masquerading). -- Per Jessen, Zürich (1.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Feb 1, 2015 at 1:05 PM, Per Jessen <per@computer.org> wrote:
This is, I think, a rather complex network/TCP issue. If anyone is thoroughly familiar with the workings of the tcp/ip 'rp_filter' setting, this might be a question for you.
Just a guess, but in kernels prior to 2.6.31 the rp_filter for each interface was determined by the logical and of the all value and the value set for the interface [1]. That would suggest that in your old environment no source validation was being performed. [1] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=27... Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Brandon Vincent wrote:
On Sun, Feb 1, 2015 at 1:05 PM, Per Jessen <per@computer.org> wrote:
This is, I think, a rather complex network/TCP issue. If anyone is thoroughly familiar with the workings of the tcp/ip 'rp_filter' setting, this might be a question for you.
Just a guess, but in kernels prior to 2.6.31 the rp_filter for each interface was determined by the logical and of the all value and the value set for the interface [1].
That would suggest that in your old environment no source validation was being performed.
[1]
[http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=27...
Brandon Vincent
Sounds like a pretty good guess to me, thanks! -- Per Jessen, Zürich (1.4°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Feb 2, 2015 at 2:31 AM, Per Jessen <per@computer.org> wrote:
Brandon Vincent wrote:
On Sun, Feb 1, 2015 at 1:05 PM, Per Jessen <per@computer.org> wrote:
This is, I think, a rather complex network/TCP issue. If anyone is thoroughly familiar with the workings of the tcp/ip 'rp_filter' setting, this might be a question for you.
Just a guess, but in kernels prior to 2.6.31 the rp_filter for each interface was determined by the logical and of the all value and the value set for the interface [1].
That would suggest that in your old environment no source validation was being performed.
[1]
[http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=27...
Brandon Vincent
Sounds like a pretty good guess to me, thanks!
Also SuSEfirewall2, if enabled, will set the rp_filter=1, plus others, unless you set FW_KERNEL_SECURITY="no". If you change this you'll need to reboot since reloading the firewall will not reset the values. If you're going to set/mod these values via sysctl set them in /etc/sysctl.conf and don't use /etc/sysctl.d/*.conf files. Values in /etc/sysctl.d/*.conf may be overwritten by system defaults set in /lib/sysctl.d/sysctl.conf as systemd loads /lib/sysctl.d AFTER /etc/sysctl.d/, which is the case for net.ipv4.conf.all.rp_filter=0. I've done extensive testing of this on openSUSE 13.1 in setting up multipath +iSCSI storage access to Dell/equallogic and FusionIO ioControl SAN's. This behavior may have changed since, it's been a while since I've tested this. -- Later, Darin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Darin Perusich wrote:
On Mon, Feb 2, 2015 at 2:31 AM, Per Jessen <per@computer.org> wrote:
Brandon Vincent wrote:
On Sun, Feb 1, 2015 at 1:05 PM, Per Jessen <per@computer.org> wrote:
This is, I think, a rather complex network/TCP issue. If anyone is thoroughly familiar with the workings of the tcp/ip 'rp_filter' setting, this might be a question for you.
Just a guess, but in kernels prior to 2.6.31 the rp_filter for each interface was determined by the logical and of the all value and the value set for the interface [1].
That would suggest that in your old environment no source validation was being performed.
[1]
[http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=27...
Brandon Vincent
Sounds like a pretty good guess to me, thanks!
Also SuSEfirewall2, if enabled, will set the rp_filter=1, plus others, unless you set FW_KERNEL_SECURITY="no". If you change this you'll need to reboot since reloading the firewall will not reset the values.
I don't have SuSEfirewall2 installed.
If you're going to set/mod these values via sysctl set them in /etc/sysctl.conf and don't use /etc/sysctl.d/*.conf files. Values in /etc/sysctl.d/*.conf may be overwritten by system defaults set in /lib/sysctl.d/sysctl.conf as systemd loads /lib/sysctl.d AFTER /etc/sysctl.d/, which is the case for net.ipv4.conf.all.rp_filter=0.
Thanks for the warning, this would likely have caused a bit of hair pulling. (I'd already created the file in /etc/sysctl.d/ .... ) -- Per Jessen, Zürich (-4.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Brandon Vincent -
Darin Perusich -
Per Jessen