Change Details

Hello! In VyOS [[ https://github.com/vyos/vyatta-cfg-firewall/blob/1f010c0a0d4ae6e4f37d9f71d0e97df2fc44b999/templates/firewall/source-validation/node.def | vyatta-cfg-firewall repository ]] is a wrong definition of rp_filter options, that lead to problems with disabling this option on the fly. In node.def we have: > rp_filter > default value - 0 > conf/all/rp_filter and conf/[interface]/rp_filter **both must be set** to > a value greater than 0 to do source validation on the interface But, at [[ https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt | kernel.org ]] information is different: > The **max value** from conf/{all,interface}/rp_filter is used > when doing source validation on the {interface}. So, when we disabling rp_filter with current way: ``` delete: sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter" ``` we actually don't do this.

Hello! In VyOS [[ https://github.com/vyos/vyatta-cfg-firewall/blob/1f010c0a0d4ae6e4f37d9f71d0e97df2fc44b999/templates/firewall/source-validation/node.def | vyatta-cfg-firewall repository ]] is a wrong definition of rp_filter options, that lead to problems with disabling this option on the fly. In node.def we have: > rp_filter > default value - 0 > conf/all/rp_filter and conf/[interface]/rp_filter **both must be set** to > a value greater than 0 to do source validation on the interface But, at [[ https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt | kernel.org ]] information is different: > The **max value** from conf/{all,interface}/rp_filter is used > when doing source validation on the {interface}. So, when we disabling rp_filter with current way: ``` ... [skipped part] ... else sudo sh -c "echo 0 > \ /proc/sys/net/ipv4/conf/all/rp_filter" fi delete: sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter" ``` we actually don't do this.

Hello! In VyOS [[ https://github.com/vyos/vyatta-cfg-firewall/blob/1f010c0a0d4ae6e4f37d9f71d0e97df2fc44b999/templates/firewall/source-validation/node.def | vyatta-cfg-firewall repository ]] is a wrong definition of rp_filter options, that lead to problems with disabling this option on the fly. In node.def we have: > rp_filter > default value - 0 > conf/all/rp_filter and conf/[interface]/rp_filter **both must be set** to > a value greater than 0 to do source validation on the interface But, at [[ https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt | kernel.org ]] information is different: > The **max value** from conf/{all,interface}/rp_filter is used > when doing source validation on the {interface}. So, when we disabling rp_filter with current way: ``` ... [skipped part] ... else sudo sh -c "echo 0 > \ /proc/sys/net/ipv4/conf/all/rp_filter" fi delete: sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter" ``` we actually don't do this.