systemd single handedly disabled rp_filter on all interfaces

[Gunni]

systemd version the issue has been seen with

245-255

Used distribution

N/A

Linux kernel version used

N/A

CPU architectures issue was seen on

x86_64

Component

other

Expected behaviour you didn't see

sysctls:

net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter =  1

Should work.

Unexpected behaviour you saw

In this commit 5d4fc0e

systemd single handedly disabled rp_filter on all interfaces, making any changes to all and default to be ignored.

Steps to reproduce the problem

Setup clean Ubuntu 22.04, the file is in /usr/lib/sysctl.d/50-default.conf.

Additional program output to the terminal or log subsystem illustrating the issue

No response

[YHNdnzj]

Hmm, that's why drop-ins support ordering? When you add new sysctl.d config, just order it after vendor-supplied ones?

[Gunni]

Yes but if I add

net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter =  1

To 01-custom.conf to sysctl.d it is ignored because this patch is setting

net.ipv4.conf.*.rp_filter = 2

So it gets applied to all interfaces too, then i would need to do that too but:

The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}.

[yuwata]

Please try to rename the file to e.g. 60-custom.conf.

[Gunni]

The problem is not what to name the file, it is the fact that because you define a value for ALL INTERFACES separately without just using the .all. as intended you require me to do the same.

It is not enough for me to make a 60-custom.conf with

net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter =  1

I would have to make it with the same as you

net.ipv4.conf.*.rp_filter =  1

Which is ridiculous, why can't you either not set these kinds of policies, or set the all key as it is designed to be used.

[rvandegrift]

I ran into this on Ubuntu 22.04 today - it's quite surprising, since the kernel already provides a safe mechanism to apply the defaults to newly attached interfaces.

In my case, there's another app managing network interface sysctls. The globbed sysctls were racing with this app, resulting in wildly non-deterministic outcomes.

To disable the globbed sysctls, and override rp_filter defaults, I came up with the following for /etc/sysctl.d/99-no-net-wildcards.conf:

-net.ipv4.conf.*.rp_filter
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

That seems to work - the wildcard doesn't provide the default, the .defaults key does. But that syntax isn't actually described in sysctl.d(5) - so I'm a little worried it's unsupported.

IMO the wildcard sysctls seem like a bit of a footgun :\

[yuwata]

It's documented. See https://www.freedesktop.org/software/systemd/man/latest/sysctl.d.html

Anyway, this is not a bug. Closing.

[rvandegrift]

It's documented. See https://www.freedesktop.org/software/systemd/man/latest/sysctl.d.html

@yuwata I don't see where that doc explains how to negate a glob. It shows positive globs and exceptions to instances that a glob would match. But neither is sufficient to prevent racy updates.

If negated globs are intentionally supported, it'd be nice to have that documented there.