[oe-commits] [openembedded-core] 12/13: procps: update legacy sysctl.conf to fix rp_filter sysctl issue

git at git.openembedded.org git at git.openembedded.org
Sun May 12 08:11:35 UTC 2019 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch master
in repository openembedded-core.

commit f0b5f56b101d98574f81decd9de76222e7f20603
Author: Michael Scott <mike at foundries.io>
AuthorDate: Thu May 9 11:06:41 2019 -0700

    procps: update legacy sysctl.conf to fix rp_filter sysctl issue
    
    The sysctl.conf file for procps is very outdated:
    https://git.openembedded.org/openembedded-core/commit/?id=8a9b9a323f4363e27138077e3e3dce8139a36708
    (circa 2014)
    
    The origin of this file is hard to determine and due to it's age
    is causing a routing issue when both wifi and ethernet are enabled.
    This manifested during an update from thud -> warrior due to the
    following:
    - upstream change in NetworkManager during 1.16 cycle removes the
      dynamic setting of rp_filter sysctl when more than one interface
      is enabled:
      https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=b1082aa9a711deb96652e5b2fcaefcf399d127b8
    - open-embedded updated to NetworkManager 1.16 in March 2019:
      https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-connectivity/networkmanager?id=5509328af9e4fab267251456f4d6e7bd51df779a
    - setting in legacy sysctl.conf sets rp_filter to 1 which blocks
      packets with different inbound and outbound addresses.
    
    Documentation of rp_filter setting from kernel.org:
    
    rp_filter - INTEGER
    0 - No source validation.
    1 - Strict mode as defined in RFC3704 Strict Reverse Path
        Each incoming packet is tested against the FIB and if the interface
        is not the best reverse path the packet check will fail.
        By default failed packets are discarded.
    2 - Loose mode as defined in RFC3704 Loose Reverse Path
        Each incoming packet's source address is also tested against the FIB
        and if the source address is not reachable via any interface
        the packet check will fail.
    
    This patch updates the sysctl.conf file to current which doesn't set
    the rp_filter mode explicity (2 is the default).
    
    NOTE: The kernel/pid_max=10000 setting has been commented out as this
    may not be desired by default.
    
    Signed-off-by: Michael Scott <mike at foundries.io>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 meta/recipes-extended/procps/procps/sysctl.conf | 105 ++++++++++++------------
 1 file changed, 54 insertions(+), 51 deletions(-)

diff --git a/meta/recipes-extended/procps/procps/sysctl.conf b/meta/recipes-extended/procps/procps/sysctl.conf
index 34e7488..253f370 100644
--- a/meta/recipes-extended/procps/procps/sysctl.conf
+++ b/meta/recipes-extended/procps/procps/sysctl.conf
@@ -1,64 +1,67 @@
-# This configuration file is taken from Debian.
+# This configuration taken from procps v3.3.15
+# Commented out kernel/pid_max=10000 line
 #
 # /etc/sysctl.conf - Configuration file for setting system variables
 # See sysctl.conf (5) for information.
-#
 
-#kernel.domainname = example.com
+# you can have the CD-ROM close when you use it, and open
+# when you are done.
+#dev.cdrom.autoeject = 1
+#dev.cdrom.autoclose = 1
 
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 4 4 1 7
+# protection from the SYN flood attack
+net/ipv4/tcp_syncookies=1
 
-##############################################################3
-# Functions previously found in netbase
-#
+# see the evil packets in your log files
+net/ipv4/conf/all/log_martians=1
 
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-net.ipv4.conf.default.rp_filter=1
-net.ipv4.conf.all.rp_filter=1
+# makes you vulnerable or not :-)
+net/ipv4/conf/all/accept_redirects=0
+net/ipv4/conf/all/accept_source_route=0
+net/ipv4/icmp_echo_ignore_broadcasts =1
 
-# Uncomment the next line to enable TCP/IP SYN cookies
-#net.ipv4.tcp_syncookies=1
+# needed for routing, including masquerading or NAT
+#net/ipv4/ip_forward=1
 
-# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
+# sets the port range used for outgoing connections
+#net.ipv4.ip_local_port_range = 32768    61000
 
-# Uncomment the next line to enable packet forwarding for IPv6
-#net.ipv6.conf.all.forwarding=1
+# Broken routers and obsolete firewalls will corrupt the window scaling
+# and ECN. Set these values to 0 to disable window scaling and ECN.
+# This may, rarely, cause some performance loss when running high-speed
+# TCP/IP over huge distances or running TCP/IP over connections with high
+# packet loss and modern routers. This sure beats dropped connections.
+#net.ipv4.tcp_ecn = 0
 
+# Swapping too much or not enough? Disks spinning up when you'd
+# rather they didn't? Tweak these.
+#vm.vfs_cache_pressure = 100
+#vm.laptop_mode = 0
+#vm.swappiness = 60
 
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Ignore ICMP broadcasts
-#net.ipv4.icmp_echo_ignore_broadcasts = 1
-#
-# Ignore bogus ICMP errors
-#net.ipv4.icmp_ignore_bogus_error_responses = 1
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
+#kernel.printk_ratelimit_burst = 10
+#kernel.printk_ratelimit = 5
+#kernel.panic_on_oops = 0
+
+# Reboot 600 seconds after a panic
+#kernel.panic = 600
+
+# enable SysRq key (note: console security issues)
+#kernel.sysrq = 1
+
+# Change name of core file to start with the command name
+# so you get things like: emacs.core mozilla-bin.core X.core
+#kernel.core_pattern = %e.core
+
+# NIS/YP domain (not always equal to DNS domain)
+#kernel.domainname = example.com
+#kernel.hostname = darkstar
+
+# This limits PID values to 4 digits, which allows tools like ps
+# to save screen space.
+#kernel/pid_max=10000
 
-#kernel.shmmax = 141762560
+# Protects against creating or following links under certain conditions
+# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
+#fs.protected_hardlinks = 1
+#fs.protected_symlinks = 1

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list