Description of problem: `ipsec verify` and upstream FAQ recommends disabling rp_filter but /etc/sysctl.d/50-libreswan.conf does not disable it Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: [root@localhost ~]# ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.32 (netkey) on 5.4.17-2036.104.5.el8uek.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK] ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F [root@localhost ~]# cat /etc/sysctl.d/50-libreswan.conf # when using 1 interface for two networks when using NETKEY, the kernel # thinks it can be clever by sending a redirect (cause it cannot tell # an encrypted packet came in, but a decrypted packet came out), # so it sends a bogus ICMP redirect # # We disable redirects for XFRM/IPsec net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 [root@localhost ~]# rpm -qi libreswan Name : libreswan Version : 3.32 Release : 7.0.1.el8_3 Architecture: x86_64 Install Date: Fri 02 Apr 2021 01:15:58 PM EEST Group : Unspecified Size : 4897354 License : GPLv2 Signature : RSA/SHA256, Tue 10 Nov 2020 03:51:23 AM EET, Key ID 82562ea9ad986da3 Source RPM : libreswan-3.32-7.0.1.el8_3.src.rpm Build Date : Tue 10 Nov 2020 03:40:03 AM EET Build Host : jenkins-172-17-0-2-c5b0924f-57ee-47f9-9480-e1f94219cf65.blddevtest1iad.osdevelopmeniad.oraclevcn.com Relocations : (not relocatable) Vendor : Oracle America URL : https://libreswan.org/ Summary : IPsec implementation with IKEv1 and IKEv2 keying protocols yes I know this is observed on OL but they keep RH defaults when rebuilding: rhel8.3 sources -> libreswan-3.32/packaging/fedora/libreswan-sysctl.conf
further observation: upstream FAQ recommends altering net.ipv4.conf.default.rp_filter while `ipsec verify` actually complains about both "net.ipv4.conf.all.rp_filter" and "net.ipv4.conf.default.rp_filter"