RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1653824 - Continue setting rp_filter=1
Summary: Continue setting rp_filter=1
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: systemd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.0
Assignee: Lukáš Nykrýn
QA Contact: Frantisek Sumsal
URL:
Whiteboard:
: 1669504 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-27 17:16 UTC by Lubomir Rintel
Modified: 2019-06-14 01:55 UTC (History)
8 users (show)

Fixed In Version: systemd-239-12.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-14 01:55:01 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1673763 0 medium CLOSED Stop setting rp_filter=1 for workstations 2021-02-22 00:41:40 UTC

Internal Links: 1669504 1673763

Description Lubomir Rintel 2018-11-27 17:16:51 UTC 
systemd package ships this:

/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.all.rp_filter = 1

This is just wrong. The strict filter drops legitimate traffic if the machine has more than one interface in the same network (as is usual when the user plugs in cable when connected over as Wi-Fi bridged to the same network, or connects to a VPN).

Moreover it interferes badly with the connectivity checking in case of multiple default routers. In other words: if the user has a Wi-Fi connected to the internet and plugs in the cable that also has a default route, we want to check whether the cable is internet-connected also, prior to bumping its metric to make it default. The strict rp_filter drops our traffic.

Currently NetworkManager flips it to rp_filter=2, but that upsets the few users that need the strict rp_filter (bug #1651097)/

It would be much better if neither systemd nor NetworkManager just didn't touch the sysctl.

If someone actually prefers the strict rp_filter, then it perhaps should only be enabled on RHEL Server, but certainly not RHEL Workstation.
Comment 1 Lubomir Rintel 2018-11-28 11:13:18 UTC 
Upstream PR: https://github.com/systemd/systemd/pull/10971
Comment 2 Thomas Haller 2018-12-11 19:33:28 UTC 
Apologies for my impatient ping, but is there any chance to still get this for RHEL-8.0?
Comment 3 Lukáš Nykrýn 2018-12-11 19:42:14 UTC 
https://github.com/lnykryn/systemd-rhel/pull/255
Comment 5 Lukáš Nykrýn 2018-12-12 10:00:24 UTC 
fix merged to staging branch -> https://github.com/lnykryn/systemd-rhel/pull/255 -> post
Comment 7 Lubomir Rintel 2019-01-30 17:24:28 UTC 
Notes from what we concluded in a meeting
=========================================

It turns out this is not entirely problem-free. Notably, there would be some 
unpleasant surprises waiting for the users who are used to the old default. See
bug #1669504. It seems we need to ship different defaults to server users than
to the workstation users:

The Workstation experience suffers from the rp_filter strict mode: in pressence
of multiple routes to a same network, only one of the lowest metric works. This 
breaks the connections established over a wireless interface when the user
plugs an ethernet plug and make connectivity checking of new connections 
impossible.

The rp_filter makes sense on some server installations, routers particularly.
Their users may already be relying on the default of strict rp_filter.

It seems that we need to end up shipping different configurations to these
groups: defaulting to one mode and overriding it where it doesn't make sense. 
Given most of our users are not Workstation users, let's do this:

1.) Flip the default in RHEL back to the strict mode (rp_filter=1)

2.) Override it with a drop-in file on Workstation. One possibility is to ship 
    /usr/lib/sysctl.d/60-NetworkManager.conf that sets rp_filter=0 in
    NetworkManager-config-connectivity-rhel, becuase connectivity checking is
    where rp_filter gets in the way.

Note that we're disabling it altogether (0) as opposed to setting it to the 
loose mode (2), because the two are equivalent in presence of a default route.

Does this make sense?
Comment 9 Marcelo Ricardo Leitner 2019-02-01 18:39:03 UTC 
(In reply to Lubomir Rintel from comment #7)
> 2.) Override it with a drop-in file on Workstation. One possibility is to
> ship 
>     /usr/lib/sysctl.d/60-NetworkManager.conf that sets rp_filter=0 in
>     NetworkManager-config-connectivity-rhel, becuase connectivity checking is
>     where rp_filter gets in the way.

Note that we should also relax firewalld ip6 protection too then.
Comment 10 Marcelo Ricardo Leitner 2019-02-07 17:14:53 UTC 
Updating summary to reflect current understanding. Lets discuss this again for 8.1 then.
Comment 12 Marcelo Ricardo Leitner 2019-02-08 00:13:53 UTC 
Adding 8.1 bug to external trackers.
Comment 13 Lukáš Nykrýn 2019-02-08 10:10:20 UTC 
fix merged to staging branch -> https://github.com/lnykryn/systemd-rhel/pull/292 -> post
Comment 14 Guillaume Nault 2019-02-14 14:11:47 UTC 
*** Bug 1669504 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.