procps: add updated sysctl.conf to fix rp_filter issue#32
Merged
ricardosalveti merged 1 commit intofoundriesio:masterfrom May 9, 2019
Merged
procps: add updated sysctl.conf to fix rp_filter issue#32ricardosalveti merged 1 commit intofoundriesio:masterfrom
ricardosalveti merged 1 commit intofoundriesio:masterfrom
Conversation
OE has a very outdated sysctl.conf file in the procps package: https://git.openembedded.org/openembedded-core/commit/?id=8a9b9a323f4363e27138077e3e3dce8139a36708 (circa 2014) The origins of this file is quite unknown and it's causing a routing issue when both wifi and ethernet are enabled due to the following: - upstream change in NetworkManager during 1.16 cycle removes the dynamic rp_filter setting change when more than one interface is enabled. - legacy setting in sysctl.conf sets rp_filter to 1 which blocks packets with different inbound and outbound addresses. Documentation of rp_filter setting from kernel.org: rp_filter - INTEGER 0 - No source validation. 1 - Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. 2 - Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. This patch updates the sysctl.conf file to procps v3.3.15 which doesn't set the rp_filter mode explicity. NOTE: The kernel/pid_max=10000 setting has been commented out as this may not be desired by default. Signed-off-by: Michael Scott <[email protected]>
mike-scott
changed the title
ricardosalveti
approved these changes
May 9, 2019
doanac
added a commit
to doanac/meta-lmp
that referenced
this pull request
Apr 15, 2022
factory-containers: Fix issue with "add-build"
quaresmajose
pushed a commit
that referenced
this pull request
Nov 9, 2022
Relevant changes: - 826542a Merge pull request #34 from ricardosalveti/master - 804f6b2 classes/sota: no need to add wic when sota is enabled - 58e3efb Merge pull request #32 from uptane/shellcheck-master - eee365c Replace tabs with spaces. - 6dbc404 Fix all shellcheck complaints. - 5a4e76b Merge pull request #31 from ricardosalveti/master - 39feaef sota: drop curl packageconfig settings for openssl - e4b64f8 Merge pull request #30 from uptane/ostree-curl-timeout-master - 60864e2 ostree: patch to setup a curl request timeout - 9272a91 Merge pull request #27 from shr-project/jansa/kirkstone-updates - 4776d37 layer.conf: update LAYERSERIES_COMPAT for kirkstone - 99d82c1 Merge pull request #25 from shr-project/jansa/curl - 918f716 Merge pull request #22 from uptane/fix-ipsecondary-root-version - 2142cef fixed incorrect boolean in virtualsec.json - f2cdf57 Merge pull request #26 from shr-project/jansa/sota - cee9fbf Merge pull request #24 from uptane/latest-versions-master - 8e29a69 sota_sanity.bbclass: fix DeprecationWarning: invalid escape sequence d - 4d01a7a sota.bbclass: update for renamed ssl PACKAGECONFIG in curl recipe - 1f23c1c aktualizr: Mark aktualizr-hwid as RRECOMMENDS, not RDEPENDS. - 93968ee aktualizr: Bump to latest, plus garage-sign. - 851c5b7 Merge pull request #19 from shr-project/jansa/https - 4db1422 aktualizr: use https protocol to fetch it - 7a36ee1 Merge pull request #18 from uptane/aktualizr-secondary-etc - ff1e835 aktualizr: Bump to latest for Secondary putRoot implementation. - 885da7d Merge pull request #16 from uptane/latest-aktualizr - 94e6422 aktualir: Bump to latest with TUF verification support. - eab04a9 aktualizr: Delete unused ca.cnf file. - 4473a81 Update to latest Aktualizr - 25642b4 Merge pull request #13 from uptane/fix/ats-825/kirkstone - ff20197 sota.conf.inc: Cleanup for kirkstone. - 1093211 layer.conf: Drop older branches. Signed-off-by: Daiane Angolini <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OE has a very outdated sysctl.conf file in the procps package:
https://git.openembedded.org/openembedded-core/commit/?id=8a9b9a323f4363e27138077e3e3dce8139a36708
(circa 2014)
The origins of this file is quite unknown and it's causing a routing
issue when both wifi and ethernet are enabled due to the following:
dynamic rp_filter setting change when more than one interface
is enabled.
packets with different inbound and outbound addresses.
Documentation of rp_filter setting from kernel.org:
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
This patch updates the sysctl.conf file to procps v3.3.15 which doesn't
set the rp_filter mode explicity.
NOTE: The kernel/pid_max=10000 setting has been commented out as this
may not be desired by default.
Signed-off-by: Michael Scott [email protected]