Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1653824

Summary: Continue setting rp_filter=1
Product: Red Hat Enterprise Linux 8 Reporter: Lubomir Rintel <lrintel>
Component: systemdAssignee: Lukáš Nykrýn <lnykryn>
Status: CLOSED CURRENTRELEASE QA Contact: Frantisek Sumsal <fsumsal>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: aloughla, fsumsal, lnykryn, lrintel, mleitner, systemd-maint-list, thaller, wchadwic
Target Milestone: rcFlags: rule-engine: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-239-12.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-14 01:55:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubomir Rintel 2018-11-27 17:16:51 UTC 
systemd package ships this:

/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.all.rp_filter = 1

This is just wrong. The strict filter drops legitimate traffic if the machine has more than one interface in the same network (as is usual when the user plugs in cable when connected over as Wi-Fi bridged to the same network, or connects to a VPN).

Moreover it interferes badly with the connectivity checking in case of multiple default routers. In other words: if the user has a Wi-Fi connected to the internet and plugs in the cable that also has a default route, we want to check whether the cable is internet-connected also, prior to bumping its metric to make it default. The strict rp_filter drops our traffic.

Currently NetworkManager flips it to rp_filter=2, but that upsets the few users that need the strict rp_filter (bug #1651097)/

It would be much better if neither systemd nor NetworkManager just didn't touch the sysctl.

If someone actually prefers the strict rp_filter, then it perhaps should only be enabled on RHEL Server, but certainly not RHEL Workstation.
Comment 1 Lubomir Rintel 2018-11-28 11:13:18 UTC 
Upstream PR: https://github.com/systemd/systemd/pull/10971
Comment 2 Thomas Haller 2018-12-11 19:33:28 UTC 
Apologies for my impatient ping, but is there any chance to still get this for RHEL-8.0?
Comment 3 Lukáš Nykrýn 2018-12-11 19:42:14 UTC 
https://github.com/lnykryn/systemd-rhel/pull/255
Comment 5 Lukáš Nykrýn 2018-12-12 10:00:24 UTC 
fix merged to staging branch -> https://github.com/lnykryn/systemd-rhel/pull/255 -> post
Comment 7 Lubomir Rintel 2019-01-30 17:24:28 UTC 
Notes from what we concluded in a meeting
=========================================

It turns out this is not entirely problem-free. Notably, there would be some 
unpleasant surprises waiting for the users who are used to the old default. See
bug #1669504. It seems we need to ship different defaults to server users than
to the workstation users:

The Workstation experience suffers from the rp_filter strict mode: in pressence
of multiple routes to a same network, only one of the lowest metric works. This 
breaks the connections established over a wireless interface when the user
plugs an ethernet plug and make connectivity checking of new connections 
impossible.

The rp_filter makes sense on some server installations, routers particularly.
Their users may already be relying on the default of strict rp_filter.

It seems that we need to end up shipping different configurations to these
groups: defaulting to one mode and overriding it where it doesn't make sense. 
Given most of our users are not Workstation users, let's do this:

1.) Flip the default in RHEL back to the strict mode (rp_filter=1)

2.) Override it with a drop-in file on Workstation. One possibility is to ship 
    /usr/lib/sysctl.d/60-NetworkManager.conf that sets rp_filter=0 in
    NetworkManager-config-connectivity-rhel, becuase connectivity checking is
    where rp_filter gets in the way.

Note that we're disabling it altogether (0) as opposed to setting it to the 
loose mode (2), because the two are equivalent in presence of a default route.

Does this make sense?
Comment 9 Marcelo Ricardo Leitner 2019-02-01 18:39:03 UTC 
(In reply to Lubomir Rintel from comment #7)
> 2.) Override it with a drop-in file on Workstation. One possibility is to
> ship 
>     /usr/lib/sysctl.d/60-NetworkManager.conf that sets rp_filter=0 in
>     NetworkManager-config-connectivity-rhel, becuase connectivity checking is
>     where rp_filter gets in the way.

Note that we should also relax firewalld ip6 protection too then.
Comment 10 Marcelo Ricardo Leitner 2019-02-07 17:14:53 UTC 
Updating summary to reflect current understanding. Lets discuss this again for 8.1 then.
Comment 12 Marcelo Ricardo Leitner 2019-02-08 00:13:53 UTC 
Adding 8.1 bug to external trackers.
Comment 13 Lukáš Nykrýn 2019-02-08 10:10:20 UTC 
fix merged to staging branch -> https://github.com/lnykryn/systemd-rhel/pull/292 -> post
Comment 14 Guillaume Nault 2019-02-14 14:11:47 UTC 
*** Bug 1669504 has been marked as a duplicate of this bug. ***