Bug 1957769

Summary: `ipsec verify` and upstream FAQ recommends disabling rp_filter but /etc/sysctl.d/50-libreswan.conf does not disable it
Product: Red Hat Enterprise Linux 8 Reporter: Mai Ling <mailinglists35>
Component: libreswanAssignee: Daiki Ueno <dueno>
Status: NEW --- QA Contact: Ondrej Moriš <omoris>
Severity: low Docs Contact:
Priority: low    
Version: 8.3CC: jpazdziora, omoris
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mai Ling 2021-05-06 12:39:36 UTC
Description of problem:
`ipsec verify` and upstream FAQ recommends disabling rp_filter but /etc/sysctl.d/50-libreswan.conf does not disable it

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
[root@localhost ~]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.32 (netkey) on 5.4.17-2036.104.5.el8uek.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help

https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F

[root@localhost ~]# cat /etc/sysctl.d/50-libreswan.conf
# when using 1 interface for two networks when using NETKEY, the kernel
# thinks it can be clever by sending a redirect (cause it cannot tell
# an encrypted packet came in, but a decrypted packet came out),
# so it sends a bogus ICMP redirect
#
# We disable redirects for XFRM/IPsec
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0

[root@localhost ~]# rpm -qi libreswan
Name        : libreswan
Version     : 3.32
Release     : 7.0.1.el8_3
Architecture: x86_64
Install Date: Fri 02 Apr 2021 01:15:58 PM EEST
Group       : Unspecified
Size        : 4897354
License     : GPLv2
Signature   : RSA/SHA256, Tue 10 Nov 2020 03:51:23 AM EET, Key ID 82562ea9ad986da3
Source RPM  : libreswan-3.32-7.0.1.el8_3.src.rpm
Build Date  : Tue 10 Nov 2020 03:40:03 AM EET
Build Host  : jenkins-172-17-0-2-c5b0924f-57ee-47f9-9480-e1f94219cf65.blddevtest1iad.osdevelopmeniad.oraclevcn.com
Relocations : (not relocatable)
Vendor      : Oracle America
URL         : https://libreswan.org/
Summary     : IPsec implementation with IKEv1 and IKEv2 keying protocols

yes I know this is observed on OL but they keep RH defaults when rebuilding: rhel8.3 sources -> libreswan-3.32/packaging/fedora/libreswan-sysctl.conf

Comment 1 Mai Ling 2021-05-06 12:50:05 UTC
further observation: upstream FAQ recommends altering net.ipv4.conf.default.rp_filter while `ipsec verify` actually complains about both "net.ipv4.conf.all.rp_filter" and "net.ipv4.conf.default.rp_filter"