sysctl: set ipv4 settings in a race-free way

Fixes #6282.

This solution is a bit busy, but we close the race without setting *.all.*, so
it is still possible to set a different setting for particular interfaces.
Setting just "default" is not very useful because any interfaces present before
systemd-sysctl is invoked are not affected. Setting "all" is too harsh, because
the kernel takes the stronger of the device-specific setting and the "all" value,
so effectively having a weaker setting for specific interfaces is not possible.

diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index c22d690de47534154530d32c705e08d05b7222c2..14378b24af10b4e57bc9094ef7a3dee4d5d397f3 100644 (file)
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -23,12 +23,18 @@ kernel.core_uses_pid = 1
 
 # Source route verification
 net.ipv4.conf.default.rp_filter = 2
+net.ipv4.conf.*.rp_filter = 2
+-net.ipv4.conf.all.rp_filter
 
 # Do not accept source routing
 net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.*.accept_source_route = 0
+-net.ipv4.conf.all.accept_source_route
 
 # Promote secondary addresses when the primary address is removed
 net.ipv4.conf.default.promote_secondaries = 1
+net.ipv4.conf.*.promote_secondaries = 1
+-net.ipv4.conf.all.promote_secondaries
 
 # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
 # The upper limit is set to 2^31-1. Values greater than that get rejected by