Bug 1957769
| Summary: | `ipsec verify` and upstream FAQ recommends disabling rp_filter but /etc/sysctl.d/50-libreswan.conf does not disable it | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mai Ling <mailinglists35> |
| Component: | libreswan | Assignee: | Daiki Ueno <dueno> |
| Status: | NEW --- | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.3 | CC: | jpazdziora, omoris |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
further observation: upstream FAQ recommends altering net.ipv4.conf.default.rp_filter while `ipsec verify` actually complains about both "net.ipv4.conf.all.rp_filter" and "net.ipv4.conf.default.rp_filter" |
Description of problem: `ipsec verify` and upstream FAQ recommends disabling rp_filter but /etc/sysctl.d/50-libreswan.conf does not disable it Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: [root@localhost ~]# ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.32 (netkey) on 5.4.17-2036.104.5.el8uek.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK] ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F [root@localhost ~]# cat /etc/sysctl.d/50-libreswan.conf # when using 1 interface for two networks when using NETKEY, the kernel # thinks it can be clever by sending a redirect (cause it cannot tell # an encrypted packet came in, but a decrypted packet came out), # so it sends a bogus ICMP redirect # # We disable redirects for XFRM/IPsec net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 [root@localhost ~]# rpm -qi libreswan Name : libreswan Version : 3.32 Release : 7.0.1.el8_3 Architecture: x86_64 Install Date: Fri 02 Apr 2021 01:15:58 PM EEST Group : Unspecified Size : 4897354 License : GPLv2 Signature : RSA/SHA256, Tue 10 Nov 2020 03:51:23 AM EET, Key ID 82562ea9ad986da3 Source RPM : libreswan-3.32-7.0.1.el8_3.src.rpm Build Date : Tue 10 Nov 2020 03:40:03 AM EET Build Host : jenkins-172-17-0-2-c5b0924f-57ee-47f9-9480-e1f94219cf65.blddevtest1iad.osdevelopmeniad.oraclevcn.com Relocations : (not relocatable) Vendor : Oracle America URL : https://libreswan.org/ Summary : IPsec implementation with IKEv1 and IKEv2 keying protocols yes I know this is observed on OL but they keep RH defaults when rebuilding: rhel8.3 sources -> libreswan-3.32/packaging/fedora/libreswan-sysctl.conf