diff options
| author | Michael Scott <mike@foundries.io> | 2019-05-09 11:06:41 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-05-12 09:04:26 +0100 |
| commit | 25c91cf7e905fd37c95e60e150468074feaa16a6 (patch) | |
| tree | 753d99adefff221e1aa4b64657fd473c4a1fa770 /meta | |
| parent | 5a16dee75f4c73eef052464d588ead1c831672fe (diff) | |
| download | poky-25c91cf7e905fd37c95e60e150468074feaa16a6.tar.gz | |
procps: update legacy sysctl.conf to fix rp_filter sysctl issue
The sysctl.conf file for procps is very outdated:
https://git.openembedded.org/openembedded-core/commit/?id=8a9b9a323f4363e27138077e3e3dce8139a36708
(circa 2014)
The origin of this file is hard to determine and due to it's age
is causing a routing issue when both wifi and ethernet are enabled.
This manifested during an update from thud -> warrior due to the
following:
- upstream change in NetworkManager during 1.16 cycle removes the
dynamic setting of rp_filter sysctl when more than one interface
is enabled:
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=b1082aa9a711deb96652e5b2fcaefcf399d127b8
- open-embedded updated to NetworkManager 1.16 in March 2019:
https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-connectivity/networkmanager?id=5509328af9e4fab267251456f4d6e7bd51df779a
- setting in legacy sysctl.conf sets rp_filter to 1 which blocks
packets with different inbound and outbound addresses.
Documentation of rp_filter setting from kernel.org:
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
This patch updates the sysctl.conf file to current which doesn't set
the rp_filter mode explicity (2 is the default).
NOTE: The kernel/pid_max=10000 setting has been commented out as this
may not be desired by default.
(From OE-Core rev: f0b5f56b101d98574f81decd9de76222e7f20603)
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-extended/procps/procps/sysctl.conf | 105 |
1 files changed, 54 insertions, 51 deletions
diff --git a/meta/recipes-extended/procps/procps/sysctl.conf b/meta/recipes-extended/procps/procps/sysctl.conf index 34e7488bf7..253f3701bd 100644 --- a/meta/recipes-extended/procps/procps/sysctl.conf +++ b/meta/recipes-extended/procps/procps/sysctl.conf | |||
| @@ -1,64 +1,67 @@ | |||
| 1 | # This configuration file is taken from Debian. | 1 | # This configuration taken from procps v3.3.15 |
| 2 | # Commented out kernel/pid_max=10000 line | ||
| 2 | # | 3 | # |
| 3 | # /etc/sysctl.conf - Configuration file for setting system variables | 4 | # /etc/sysctl.conf - Configuration file for setting system variables |
| 4 | # See sysctl.conf (5) for information. | 5 | # See sysctl.conf (5) for information. |
| 5 | # | ||
| 6 | 6 | ||
| 7 | #kernel.domainname = example.com | 7 | # you can have the CD-ROM close when you use it, and open |
| 8 | # when you are done. | ||
| 9 | #dev.cdrom.autoeject = 1 | ||
| 10 | #dev.cdrom.autoclose = 1 | ||
| 8 | 11 | ||
| 9 | # Uncomment the following to stop low-level messages on console | 12 | # protection from the SYN flood attack |
| 10 | #kernel.printk = 4 4 1 7 | 13 | net/ipv4/tcp_syncookies=1 |
| 11 | 14 | ||
| 12 | ##############################################################3 | 15 | # see the evil packets in your log files |
| 13 | # Functions previously found in netbase | 16 | net/ipv4/conf/all/log_martians=1 |
| 14 | # | ||
| 15 | 17 | ||
| 16 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter) | 18 | # makes you vulnerable or not :-) |
| 17 | # Turn on Source Address Verification in all interfaces to | 19 | net/ipv4/conf/all/accept_redirects=0 |
| 18 | # prevent some spoofing attacks | 20 | net/ipv4/conf/all/accept_source_route=0 |
| 19 | net.ipv4.conf.default.rp_filter=1 | 21 | net/ipv4/icmp_echo_ignore_broadcasts =1 |
| 20 | net.ipv4.conf.all.rp_filter=1 | ||
| 21 | 22 | ||
| 22 | # Uncomment the next line to enable TCP/IP SYN cookies | 23 | # needed for routing, including masquerading or NAT |
| 23 | #net.ipv4.tcp_syncookies=1 | 24 | #net/ipv4/ip_forward=1 |
| 24 | 25 | ||
| 25 | # Uncomment the next line to enable packet forwarding for IPv4 | 26 | # sets the port range used for outgoing connections |
| 26 | #net.ipv4.ip_forward=1 | 27 | #net.ipv4.ip_local_port_range = 32768 61000 |
| 27 | 28 | ||
| 28 | # Uncomment the next line to enable packet forwarding for IPv6 | 29 | # Broken routers and obsolete firewalls will corrupt the window scaling |
| 29 | #net.ipv6.conf.all.forwarding=1 | 30 | # and ECN. Set these values to 0 to disable window scaling and ECN. |
| 31 | # This may, rarely, cause some performance loss when running high-speed | ||
| 32 | # TCP/IP over huge distances or running TCP/IP over connections with high | ||
| 33 | # packet loss and modern routers. This sure beats dropped connections. | ||
| 34 | #net.ipv4.tcp_ecn = 0 | ||
| 30 | 35 | ||
| 36 | # Swapping too much or not enough? Disks spinning up when you'd | ||
| 37 | # rather they didn't? Tweak these. | ||
| 38 | #vm.vfs_cache_pressure = 100 | ||
| 39 | #vm.laptop_mode = 0 | ||
| 40 | #vm.swappiness = 60 | ||
| 31 | 41 | ||
| 32 | ################################################################### | 42 | #kernel.printk_ratelimit_burst = 10 |
| 33 | # Additional settings - these settings can improve the network | 43 | #kernel.printk_ratelimit = 5 |
| 34 | # security of the host and prevent against some network attacks | 44 | #kernel.panic_on_oops = 0 |
| 35 | # including spoofing attacks and man in the middle attacks through | 45 | |
| 36 | # redirection. Some network environments, however, require that these | 46 | # Reboot 600 seconds after a panic |
| 37 | # settings are disabled so review and enable them as needed. | 47 | #kernel.panic = 600 |
| 38 | # | 48 | |
| 39 | # Ignore ICMP broadcasts | 49 | # enable SysRq key (note: console security issues) |
| 40 | #net.ipv4.icmp_echo_ignore_broadcasts = 1 | 50 | #kernel.sysrq = 1 |
| 41 | # | 51 | |
| 42 | # Ignore bogus ICMP errors | 52 | # Change name of core file to start with the command name |
| 43 | #net.ipv4.icmp_ignore_bogus_error_responses = 1 | 53 | # so you get things like: emacs.core mozilla-bin.core X.core |
| 44 | # | 54 | #kernel.core_pattern = %e.core |
| 45 | # Do not accept ICMP redirects (prevent MITM attacks) | 55 | |
| 46 | #net.ipv4.conf.all.accept_redirects = 0 | 56 | # NIS/YP domain (not always equal to DNS domain) |
| 47 | #net.ipv6.conf.all.accept_redirects = 0 | 57 | #kernel.domainname = example.com |
| 48 | # _or_ | 58 | #kernel.hostname = darkstar |
| 49 | # Accept ICMP redirects only for gateways listed in our default | 59 | |
| 50 | # gateway list (enabled by default) | 60 | # This limits PID values to 4 digits, which allows tools like ps |
| 51 | # net.ipv4.conf.all.secure_redirects = 1 | 61 | # to save screen space. |
| 52 | # | 62 | #kernel/pid_max=10000 |
| 53 | # Do not send ICMP redirects (we are not a router) | ||
| 54 | #net.ipv4.conf.all.send_redirects = 0 | ||
| 55 | # | ||
| 56 | # Do not accept IP source route packets (we are not a router) | ||
| 57 | #net.ipv4.conf.all.accept_source_route = 0 | ||
| 58 | #net.ipv6.conf.all.accept_source_route = 0 | ||
| 59 | # | ||
| 60 | # Log Martian Packets | ||
| 61 | #net.ipv4.conf.all.log_martians = 1 | ||
| 62 | # | ||
| 63 | 63 | ||
| 64 | #kernel.shmmax = 141762560 | 64 | # Protects against creating or following links under certain conditions |
| 65 | # See https://www.kernel.org/doc/Documentation/sysctl/fs.txt | ||
| 66 | #fs.protected_hardlinks = 1 | ||
| 67 | #fs.protected_symlinks = 1 | ||