summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
diff options
context:
space:
mode:
authorMichael Scott <mike@foundries.io>2019-05-09 11:06:41 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-05-12 09:04:26 +0100
commit25c91cf7e905fd37c95e60e150468074feaa16a6 (patch)
tree753d99adefff221e1aa4b64657fd473c4a1fa770 /meta/recipes-extended
parent5a16dee75f4c73eef052464d588ead1c831672fe (diff)
downloadpoky-25c91cf7e905fd37c95e60e150468074feaa16a6.tar.gz
procps: update legacy sysctl.conf to fix rp_filter sysctl issue
The sysctl.conf file for procps is very outdated: https://git.openembedded.org/openembedded-core/commit/?id=8a9b9a323f4363e27138077e3e3dce8139a36708 (circa 2014) The origin of this file is hard to determine and due to it's age is causing a routing issue when both wifi and ethernet are enabled. This manifested during an update from thud -> warrior due to the following: - upstream change in NetworkManager during 1.16 cycle removes the dynamic setting of rp_filter sysctl when more than one interface is enabled: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=b1082aa9a711deb96652e5b2fcaefcf399d127b8 - open-embedded updated to NetworkManager 1.16 in March 2019: https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-connectivity/networkmanager?id=5509328af9e4fab267251456f4d6e7bd51df779a - setting in legacy sysctl.conf sets rp_filter to 1 which blocks packets with different inbound and outbound addresses. Documentation of rp_filter setting from kernel.org: rp_filter - INTEGER 0 - No source validation. 1 - Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. 2 - Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. This patch updates the sysctl.conf file to current which doesn't set the rp_filter mode explicity (2 is the default). NOTE: The kernel/pid_max=10000 setting has been commented out as this may not be desired by default. (From OE-Core rev: f0b5f56b101d98574f81decd9de76222e7f20603) Signed-off-by: Michael Scott <mike@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r--meta/recipes-extended/procps/procps/sysctl.conf105
1 files changed, 54 insertions, 51 deletions
diff --git a/meta/recipes-extended/procps/procps/sysctl.conf b/meta/recipes-extended/procps/procps/sysctl.conf
index 34e7488bf7..253f3701bd 100644
--- a/meta/recipes-extended/procps/procps/sysctl.conf
+++ b/meta/recipes-extended/procps/procps/sysctl.conf
@@ -1,64 +1,67 @@
1# This configuration file is taken from Debian. 1# This configuration taken from procps v3.3.15
2# Commented out kernel/pid_max=10000 line
2# 3#
3# /etc/sysctl.conf - Configuration file for setting system variables 4# /etc/sysctl.conf - Configuration file for setting system variables
4# See sysctl.conf (5) for information. 5# See sysctl.conf (5) for information.
5#
6 6
7#kernel.domainname = example.com 7# you can have the CD-ROM close when you use it, and open
8# when you are done.
9#dev.cdrom.autoeject = 1
10#dev.cdrom.autoclose = 1
8 11
9# Uncomment the following to stop low-level messages on console 12# protection from the SYN flood attack
10#kernel.printk = 4 4 1 7 13net/ipv4/tcp_syncookies=1
11 14
12##############################################################3 15# see the evil packets in your log files
13# Functions previously found in netbase 16net/ipv4/conf/all/log_martians=1
14#
15 17
16# Uncomment the next two lines to enable Spoof protection (reverse-path filter) 18# makes you vulnerable or not :-)
17# Turn on Source Address Verification in all interfaces to 19net/ipv4/conf/all/accept_redirects=0
18# prevent some spoofing attacks 20net/ipv4/conf/all/accept_source_route=0
19net.ipv4.conf.default.rp_filter=1 21net/ipv4/icmp_echo_ignore_broadcasts =1
20net.ipv4.conf.all.rp_filter=1
21 22
22# Uncomment the next line to enable TCP/IP SYN cookies 23# needed for routing, including masquerading or NAT
23#net.ipv4.tcp_syncookies=1 24#net/ipv4/ip_forward=1
24 25
25# Uncomment the next line to enable packet forwarding for IPv4 26# sets the port range used for outgoing connections
26#net.ipv4.ip_forward=1 27#net.ipv4.ip_local_port_range = 32768 61000
27 28
28# Uncomment the next line to enable packet forwarding for IPv6 29# Broken routers and obsolete firewalls will corrupt the window scaling
29#net.ipv6.conf.all.forwarding=1 30# and ECN. Set these values to 0 to disable window scaling and ECN.
31# This may, rarely, cause some performance loss when running high-speed
32# TCP/IP over huge distances or running TCP/IP over connections with high
33# packet loss and modern routers. This sure beats dropped connections.
34#net.ipv4.tcp_ecn = 0
30 35
36# Swapping too much or not enough? Disks spinning up when you'd
37# rather they didn't? Tweak these.
38#vm.vfs_cache_pressure = 100
39#vm.laptop_mode = 0
40#vm.swappiness = 60
31 41
32################################################################### 42#kernel.printk_ratelimit_burst = 10
33# Additional settings - these settings can improve the network 43#kernel.printk_ratelimit = 5
34# security of the host and prevent against some network attacks 44#kernel.panic_on_oops = 0
35# including spoofing attacks and man in the middle attacks through 45
36# redirection. Some network environments, however, require that these 46# Reboot 600 seconds after a panic
37# settings are disabled so review and enable them as needed. 47#kernel.panic = 600
38# 48
39# Ignore ICMP broadcasts 49# enable SysRq key (note: console security issues)
40#net.ipv4.icmp_echo_ignore_broadcasts = 1 50#kernel.sysrq = 1
41# 51
42# Ignore bogus ICMP errors 52# Change name of core file to start with the command name
43#net.ipv4.icmp_ignore_bogus_error_responses = 1 53# so you get things like: emacs.core mozilla-bin.core X.core
44# 54#kernel.core_pattern = %e.core
45# Do not accept ICMP redirects (prevent MITM attacks) 55
46#net.ipv4.conf.all.accept_redirects = 0 56# NIS/YP domain (not always equal to DNS domain)
47#net.ipv6.conf.all.accept_redirects = 0 57#kernel.domainname = example.com
48# _or_ 58#kernel.hostname = darkstar
49# Accept ICMP redirects only for gateways listed in our default 59
50# gateway list (enabled by default) 60# This limits PID values to 4 digits, which allows tools like ps
51# net.ipv4.conf.all.secure_redirects = 1 61# to save screen space.
52# 62#kernel/pid_max=10000
53# Do not send ICMP redirects (we are not a router)
54#net.ipv4.conf.all.send_redirects = 0
55#
56# Do not accept IP source route packets (we are not a router)
57#net.ipv4.conf.all.accept_source_route = 0
58#net.ipv6.conf.all.accept_source_route = 0
59#
60# Log Martian Packets
61#net.ipv4.conf.all.log_martians = 1
62#
63 63
64#kernel.shmmax = 141762560 64# Protects against creating or following links under certain conditions
65# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
66#fs.protected_hardlinks = 1
67#fs.protected_symlinks = 1