Configuring `ip source-validation loose` doesn't properly configure `sysctl`
Needs testing, LowPublicBUG
Actions

Assigned To

None

Authored By

	ciprian.craciun
	Oct 21 2019, 2:05 PM

Description

On VyOS 1.2-rolling-201910180117, setting ip source-validation loose seems to have the same outcome as setting it to disable, i.e. results in rp_filter = 0.

Also related, setting firewall source-validation should perhaps configure net.ipv4.conf.default.rp_filter as opposed to net.ipv4.conf.all.rp_filter, because if one wants to disable reverse path validation only for a certain interface, but default to strict for others, at the moment it is not possible.

Details

Difficulty level: Unknown (require assessment)
Version: 1.2-rolling-201910180117
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

ciprian.craciun created this task.Oct 21 2019, 2:05 PM

pasik added a subscriber: pasik.Oct 27 2019, 5:42 PM

syncer changed the task status from Open to Needs testing.Nov 16 2019, 11:05 PM

syncer assigned this task to Unknown Object (User).

syncer triaged this task as Low priority.

syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

just tested - 1.2.6-S1 - it is still working as described by ciprian.craciun

dmbaturin added a project: test.Jul 29 2021, 12:33 PM

@ciprian.craciun

On VyOS 1.2-rolling-201910180117, setting ip source-validation loose seems to have the same outcome as setting it to disable, i.e. results in rp_filter = 0.

What do you expect to see here?

Bug, values on interfaces are overwritten after firewall global parameters.

By default:

[email protected]# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.vtun10.rp_filter = 0

Set value for the interface eth2 value "loose"

[email protected]# set interfaces ethernet eth2 ip source-validation 'loose'
[edit]
[email protected]# commit
[email protected]# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.vtun10.rp_filter = 0

Set global parameter "strict":

[email protected]# set firewall source-validation 'strict'
[edit]
[email protected]# commit
[edit]
[email protected]# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.eth2.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.vtun10.rp_filter = 1
[edit]

As I understand Interface parameters must override default values, but in that case default value overwrite interface value.

[email protected]# run show conf com | match valid
set firewall source-validation 'strict'
set interfaces ethernet eth2 ip source-validation 'loose'

Bug. Per interface values not deleted after delete firewall

Expected all values 0 except eth2 interface, as it has configuration set interfaces ethernet eth2 ip source-validation 'loose'

[email protected]# delete firewall 
[edit]
[email protected]# commit
[edit]

[email protected]# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.eth2.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.vtun10.rp_filter = 1
[edit]

@Viacheslav Sorry for the long delay in replying.

Looking at my initial bug I think there were two separate issues:

using loose or disable didn't matter (they were both treated as disable).
as you've observed is that the source-validation in firewall seems to override everything else.

Looking in my own configuration, I have the following:

at firewall level set to disable;
at interface level set to strict;
at interface VLAN level some are loose;
on PPPoE interfaces again set to loose;

Looking with sysctl I get the following values:

0 (i.e. disabled) for all and default; (as expected;)
1 (i.e. strict) for eth* interfaces; (as expected;)
0 (i.e. disabed) for all eth*/* VLAN interfaces; (not as expected, given that at least some VLAN's strict settings;)
0 (i.e. disabled) for all pppoe* interfaces; (not as expected, given that I've set them to loose;)

So I think there are multiple issues that might manifest in my case.

(I am still using 1.2-rolling-201910180117.)

erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 6:29 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM

1.3.0:
Still generating the same config

olof@o6-80003# run show conf com | grep validation
set firewall source-validation 'strict'
[edit]
olof@o6-80003# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.dum0.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0/42.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1/1728.rp_filter = 0
net.ipv4.conf.eth1/1805.rp_filter = 0
net.ipv4.conf.eth1/1806.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.ifb042.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.wg0.rp_filter = 1

But it does seem to block martian traffic on vlan interface anyways (I spoof source-address on host behind eth1.1805) and it is logged and blocked as a martian.

Mar  3 15:19:14 o6-80003 kernel: [1298463.199335] IPv4: martian source 1.1.1.1 from 192.168.97.2, on dev eth1.1805
Mar  3 15:19:14 o6-80003 kernel: [1298463.199355] ll header: 00000000: xx xx
Mar  3 15:19:15 o6-80003 kernel: [1298464.223279] IPv4: martian source 1.1.1.1 from 192.168.97.2, on dev eth1.1805
Mar  3 15:19:15 o6-80003 kernel: [1298464.223303] ll header: 00000000: xx xx

Then after I enable strict explicity on eth1.1805, I get the rp_filter configuration in sysctl, and a warning from vyos.

olof@o6-80003# set interfaces ethernet eth1 vif 1805 ip source-validation strict 
[edit]
olof@o6-80003# commit
WARNING: Global source-validation is set to "strict
"this overrides per interface setting!
WARNING: Global source-validation is set to "strict
"this overrides per interface setting!
WARNING: Global source-validation is set to "strict
"this overrides per interface setting!
[edit]
olof@o6-80003# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.dum0.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0/42.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1/1728.rp_filter = 0
net.ipv4.conf.eth1/1805.rp_filter = 1
net.ipv4.conf.eth1/1806.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.ifb042.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.wg0.rp_filter = 1

And obviously it still blocks martian traffic.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:44 PM

syncer reassigned this task from Unknown Object (User) to Viacheslav.Jul 16 2023, 9:30 PM

syncer added a subscriber: Unknown Object (User).

syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:38 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).Feb 10 2024, 9:18 AM

dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.7), test.Thu, Apr 4, 10:37 PM

Viacheslav removed Viacheslav as the assignee of this task.Fri, Apr 5, 8:15 AM

Configuring `ip source-validation loose` doesn't properly configure `sysctl`Needs testing, LowPublicBUGActions

Description

Details

Event Timeline

Configuring `ip source-validation loose` doesn't properly configure `sysctl`
Needs testing, LowPublicBUG
Actions