From 5d4fc0e665a3639f92ac880896c56f9533441307 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 30 Jan 2020 10:41:31 +0100 Subject: [PATCH] sysctl: set ipv4 settings in a race-free way Fixes #6282. This solution is a bit busy, but we close the race without setting *.all.*, so it is still possible to set a different setting for particular interfaces. Setting just "default" is not very useful because any interfaces present before systemd-sysctl is invoked are not affected. Setting "all" is too harsh, because the kernel takes the stronger of the device-specific setting and the "all" value, so effectively having a weaker setting for specific interfaces is not possible. --- sysctl.d/50-default.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf index c22d690de4..14378b24af 100644 --- a/sysctl.d/50-default.conf +++ b/sysctl.d/50-default.conf @@ -23,12 +23,18 @@ kernel.core_uses_pid = 1 # Source route verification net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.*.rp_filter = 2 +-net.ipv4.conf.all.rp_filter # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.*.accept_source_route = 0 +-net.ipv4.conf.all.accept_source_route # Promote secondary addresses when the primary address is removed net.ipv4.conf.default.promote_secondaries = 1 +net.ipv4.conf.*.promote_secondaries = 1 +-net.ipv4.conf.all.promote_secondaries # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW # The upper limit is set to 2^31-1. Values greater than that get rejected by