On Mon, Feb 2, 2015 at 2:31 AM, Per Jessen
Brandon Vincent wrote:
On Sun, Feb 1, 2015 at 1:05 PM, Per Jessen
wrote: This is, I think, a rather complex network/TCP issue. If anyone is thoroughly familiar with the workings of the tcp/ip 'rp_filter' setting, this might be a question for you.
Just a guess, but in kernels prior to 2.6.31 the rp_filter for each interface was determined by the logical and of the all value and the value set for the interface [1].
That would suggest that in your old environment no source validation was being performed.
[1]
[http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=27...
Brandon Vincent
Sounds like a pretty good guess to me, thanks!
Also SuSEfirewall2, if enabled, will set the rp_filter=1, plus others, unless you set FW_KERNEL_SECURITY="no". If you change this you'll need to reboot since reloading the firewall will not reset the values. If you're going to set/mod these values via sysctl set them in /etc/sysctl.conf and don't use /etc/sysctl.d/*.conf files. Values in /etc/sysctl.d/*.conf may be overwritten by system defaults set in /lib/sysctl.d/sysctl.conf as systemd loads /lib/sysctl.d AFTER /etc/sysctl.d/, which is the case for net.ipv4.conf.all.rp_filter=0. I've done extensive testing of this on openSUSE 13.1 in setting up multipath +iSCSI storage access to Dell/equallogic and FusionIO ioControl SAN's. This behavior may have changed since, it's been a while since I've tested this. -- Later, Darin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org