summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2020-01-30 10:41:31 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2020-02-04 00:01:50 +0100
commit5d4fc0e665a3639f92ac880896c56f9533441307 (patch)
tree19d2d4524395848394fda275ca9add4b86d4a7b9
parentsysctl: add glob syntax to sysctl.d files (diff)
downloadsystemd-5d4fc0e665a3639f92ac880896c56f9533441307.tar.xz
systemd-5d4fc0e665a3639f92ac880896c56f9533441307.zip
sysctl: set ipv4 settings in a race-free way
Fixes #6282. This solution is a bit busy, but we close the race without setting *.all.*, so it is still possible to set a different setting for particular interfaces. Setting just "default" is not very useful because any interfaces present before systemd-sysctl is invoked are not affected. Setting "all" is too harsh, because the kernel takes the stronger of the device-specific setting and the "all" value, so effectively having a weaker setting for specific interfaces is not possible.
-rw-r--r--sysctl.d/50-default.conf6
1 files changed, 6 insertions, 0 deletions
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index c22d690de4..14378b24af 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -23,12 +23,18 @@ kernel.core_uses_pid = 1
# Source route verification
net.ipv4.conf.default.rp_filter = 2
+net.ipv4.conf.*.rp_filter = 2
+-net.ipv4.conf.all.rp_filter
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.*.accept_source_route = 0
+-net.ipv4.conf.all.accept_source_route
# Promote secondary addresses when the primary address is removed
net.ipv4.conf.default.promote_secondaries = 1
+net.ipv4.conf.*.promote_secondaries = 1
+-net.ipv4.conf.all.promote_secondaries
# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
# The upper limit is set to 2^31-1. Values greater than that get rejected by