diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-01-30 10:41:31 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-02-04 00:01:50 +0100 |
commit | 5d4fc0e665a3639f92ac880896c56f9533441307 (patch) | |
tree | 19d2d4524395848394fda275ca9add4b86d4a7b9 | |
parent | sysctl: add glob syntax to sysctl.d files (diff) | |
download | systemd-5d4fc0e665a3639f92ac880896c56f9533441307.tar.xz systemd-5d4fc0e665a3639f92ac880896c56f9533441307.zip |
sysctl: set ipv4 settings in a race-free way
Fixes #6282.
This solution is a bit busy, but we close the race without setting *.all.*, so
it is still possible to set a different setting for particular interfaces.
Setting just "default" is not very useful because any interfaces present before
systemd-sysctl is invoked are not affected. Setting "all" is too harsh, because
the kernel takes the stronger of the device-specific setting and the "all" value,
so effectively having a weaker setting for specific interfaces is not possible.
-rw-r--r-- | sysctl.d/50-default.conf | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf index c22d690de4..14378b24af 100644 --- a/sysctl.d/50-default.conf +++ b/sysctl.d/50-default.conf @@ -23,12 +23,18 @@ kernel.core_uses_pid = 1 # Source route verification net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.*.rp_filter = 2 +-net.ipv4.conf.all.rp_filter # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.*.accept_source_route = 0 +-net.ipv4.conf.all.accept_source_route # Promote secondary addresses when the primary address is removed net.ipv4.conf.default.promote_secondaries = 1 +net.ipv4.conf.*.promote_secondaries = 1 +-net.ipv4.conf.all.promote_secondaries # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW # The upper limit is set to 2^31-1. Values greater than that get rejected by |