From: Zbigniew Jędrzejewski-Szmek Date: Thu, 30 Jan 2020 09:41:31 +0000 (+0100) Subject: sysctl: set ipv4 settings in a race-free way X-Git-Tag: v245-rc1~22^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F14589%2Fhead;p=thirdparty%2Fsystemd.git sysctl: set ipv4 settings in a race-free way Fixes #6282. This solution is a bit busy, but we close the race without setting *.all.*, so it is still possible to set a different setting for particular interfaces. Setting just "default" is not very useful because any interfaces present before systemd-sysctl is invoked are not affected. Setting "all" is too harsh, because the kernel takes the stronger of the device-specific setting and the "all" value, so effectively having a weaker setting for specific interfaces is not possible. --- diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf index c22d690de47..14378b24af1 100644 --- a/sysctl.d/50-default.conf +++ b/sysctl.d/50-default.conf @@ -23,12 +23,18 @@ kernel.core_uses_pid = 1 # Source route verification net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.*.rp_filter = 2 +-net.ipv4.conf.all.rp_filter # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.*.accept_source_route = 0 +-net.ipv4.conf.all.accept_source_route # Promote secondary addresses when the primary address is removed net.ipv4.conf.default.promote_secondaries = 1 +net.ipv4.conf.*.promote_secondaries = 1 +-net.ipv4.conf.all.promote_secondaries # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW # The upper limit is set to 2^31-1. Values greater than that get rejected by