Package: procps Version: 1:3.2.7-3 Severity: normal Hi,
while the patch supplied by the submitter of #337019 did add a
net/ipv4/conf/default/rp_filter=1 line to /etc/sysctl.conf in addition
to net/ipv4/conf/all/rp_filter=1, the fix introduced in 1:3.2.7-1 was
to use the former instead of the latter.
This however leaves net.ipv4.conf.all.rp_filter at the default of 0
and completely disables rp_filter - quoting
Documentation/networking/ip-sysctl.txt from the kernel source:
conf/all/rp_filter must also be set to TRUE to do source validation
on the interface
Taking a look at include/linux/inetdevice.h also confirms this:
#define IN_DEV_RPFILTER(in_dev) (ipv4_devconf.rp_filter &&
(in_dev)->cnf.rp_filter)
(ipv4_devconf.rp_filter being net.ipv4.conf.all.rp_filter and
(in_dev)->cnf.rp_filter being the per device net.ipv4.conf.*.rp_filter)
Thus /etc/sysctl.conf needs to have both lines, as suggested in the
original patch.
elmar
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-bdclaim
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages procps depends on:
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libncurses5 5.5-3 Shared libraries for terminal hand
ii lsb-base 3.1-15 Linux Standard Base 3.1 init scrip
Versions of packages procps recommends:
ii psmisc 22.3-1 Utilities that use the proc filesy
-- no debconf information
--
.'"`. /"\
| :' : Elmar Hoffmann <[EMAIL PROTECTED]> ASCII Ribbon Campaign \ /
`. `' GPG key available via pgp.net against HTML email X
`- & vCards / \
signature.asc
Description: Digital signature
