Page MenuHomeVyOS Platform

Configuring `ip source-validation loose` doesn't properly configure `sysctl`
Needs testing, LowPublicBUG

Description

On VyOS 1.2-rolling-201910180117, setting ip source-validation loose seems to have the same outcome as setting it to disable, i.e. results in rp_filter = 0.


Also related, setting firewall source-validation should perhaps configure net.ipv4.conf.default.rp_filter as opposed to net.ipv4.conf.all.rp_filter, because if one wants to disable reverse path validation only for a certain interface, but default to strict for others, at the moment it is not possible.

Details

Difficulty level
Unknown (require assessment)
Version
1.2-rolling-201910180117
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

syncer changed the task status from Open to Needs testing.Nov 16 2019, 11:05 PM
syncer assigned this task to Dmitry.
syncer triaged this task as Low priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

just tested - 1.2.6-S1 - it is still working as described by ciprian.craciun

@ciprian.craciun

On VyOS 1.2-rolling-201910180117, setting ip source-validation loose seems to have the same outcome as setting it to disable, i.e. results in rp_filter = 0.

What do you expect to see here?

  1. Bug, values on interfaces are overwritten after firewall global parameters.

By default:

vyos@r4-1.3# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.vtun10.rp_filter = 0

Set value for the interface eth2 value "loose"

vyos@r4-1.3# set interfaces ethernet eth2 ip source-validation 'loose'
[edit]
vyos@r4-1.3# commit
vyos@r4-1.3# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.vtun10.rp_filter = 0

Set global parameter "strict":

vyos@r4-1.3# set firewall source-validation 'strict'
[edit]
vyos@r4-1.3# commit
[edit]
vyos@r4-1.3# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.eth2.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.vtun10.rp_filter = 1
[edit]

As I understand Interface parameters must override default values, but in that case default value overwrite interface value.

vyos@r4-1.3# run show conf com | match valid
set firewall source-validation 'strict'
set interfaces ethernet eth2 ip source-validation 'loose'
  1. Bug. Per interface values not deleted after delete firewall

Expected all values 0 except eth2 interface, as it has configuration set interfaces ethernet eth2 ip source-validation 'loose'

vyos@r4-1.3# delete firewall 
[edit]
vyos@r4-1.3# commit
[edit]

vyos@r4-1.3# sudo sysctl -a | grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.eth2.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.vtun10.rp_filter = 1
[edit]

@Viacheslav Sorry for the long delay in replying.

Looking at my initial bug I think there were two separate issues:

  • using loose or disable didn't matter (they were both treated as disable).
  • as you've observed is that the source-validation in firewall seems to override everything else.

Looking in my own configuration, I have the following:

  • at firewall level set to disable;
  • at interface level set to strict;
  • at interface VLAN level some are loose;
  • on PPPoE interfaces again set to loose;

Looking with sysctl I get the following values:

  • 0 (i.e. disabled) for all and default; (as expected;)
  • 1 (i.e. strict) for eth* interfaces; (as expected;)
  • 0 (i.e. disabed) for all eth*/* VLAN interfaces; (not as expected, given that at least some VLAN's strict settings;)
  • 0 (i.e. disabled) for all pppoe* interfaces; (not as expected, given that I've set them to loose;)

So I think there are multiple issues that might manifest in my case.

(I am still using 1.2-rolling-201910180117.)

erkin set Issue type to Bug (incorrect behavior).Tue, Aug 31, 6:29 PM