** Description changed: [impact] - Using ifupdown, an interface's rp-filter value cannot be set to 2. + Using ifupdown, vlan supported setting an interface's rp-filter value, + but that can only set 0 or 1, but it cannot be set to 2. [test case] On any system using ifupdown to manage interfaces, add to an interface's config: if-rp-filter 2 When the interface is brought up, its /proc/sys/net/ipv4/conf/$IFACE/rp_filter value will be set to 1 instead of 2. With the fixed vlan package, its value will correctly be set to 2. [regression potential] problems with this change could affect the value of an interface's rp_filter value. [other] the upstream debian bug for this has been open for 3 years without change, so it is unlikely debian will fix this. + + As outlined in c#4 and c#13 this setting is vlan not generally required + for vlans (but often used with them). So it in question if eventually it + should be added elsewhere and removed here, but for the SRU the bug is + where it is (in the vlan package) and there it has to be fixed. + + --- [original description] When configuring a VLAN interface on /etc/network/interfaces, setting the ip-rp-filter value to 2 (loose mode reverse filtering) gets overridden by the /etc/network/if-up.d/ip script, which only allows for values 0 and 1. This is the relevant configuration in /etc/network/interfaces # The primary network interface auto eno1 iface eno1 inet static address 10.1.2.36 netmask 255.255.0.0 gateway 10.1.1.2 dns-search xxx.yy dns-nameservers 10.1.2.22 10.1.2.24 # The administrative network auto eno1.2 iface eno1.2 inet static address 172.16.1.8 netmask 255.255.0.0 ip-rp-filter 2 vlan-raw-device eno1 But it does not get correctly set ~# cat /proc/sys/net/ipv4/conf/eno1.2/rp_filter 1 And this is the script overriding the configuration ~# cat /etc/network/if-up.d/ip #!/bin/sh # This should probably go into ifupdown # But usually only those with lots of interfaces (vlans) need these if [ -d "/proc/sys/net/ipv4/conf/$IFACE" ] then if [ -n "$IF_IP_PROXY_ARP" ]; then if [ "$IF_IP_PROXY_ARP" -eq "1" ]; then echo 1 > "/proc/sys/net/ipv4/conf/$IFACE/proxy_arp" else echo 0 > "/proc/sys/net/ipv4/conf/$IFACE/proxy_arp" fi fi if [ -n "$IF_IP_RP_FILTER" ]; then if [ "$IF_IP_RP_FILTER" -eq "0" ]; then echo 0 > "/proc/sys/net/ipv4/conf/$IFACE/rp_filter" else echo 1 > "/proc/sys/net/ipv4/conf/$IFACE/rp_filter" fi fi fi It checks if $IF_IP_RP_FILTER is 0 and sets it as 0, otherwise sets it as 1, so it never allows to set is to 2 (loose mode).
** Description changed: [impact] Using ifupdown, vlan supported setting an interface's rp-filter value, but that can only set 0 or 1, but it cannot be set to 2. [test case] On any system using ifupdown to manage interfaces, add to an interface's config: if-rp-filter 2 - When the interface is brought up, its - /proc/sys/net/ipv4/conf/$IFACE/rp_filter value will be set to 1 instead - of 2. With the fixed vlan package, its value will correctly be set to - 2. + When the interface is brought up, its /proc/sys/net/ipv4/conf/$IFACE/rp_filter value will be set to 1 instead of 2. With the fixed vlan package, its value will correctly be set to 2. + See also c#9 for a test example [regression potential] problems with this change could affect the value of an interface's rp_filter value. [other] the upstream debian bug for this has been open for 3 years without change, so it is unlikely debian will fix this. As outlined in c#4 and c#13 this setting is vlan not generally required for vlans (but often used with them). So it in question if eventually it should be added elsewhere and removed here, but for the SRU the bug is where it is (in the vlan package) and there it has to be fixed. --- [original description] When configuring a VLAN interface on /etc/network/interfaces, setting the ip-rp-filter value to 2 (loose mode reverse filtering) gets overridden by the /etc/network/if-up.d/ip script, which only allows for values 0 and 1. This is the relevant configuration in /etc/network/interfaces # The primary network interface auto eno1 iface eno1 inet static address 10.1.2.36 netmask 255.255.0.0 gateway 10.1.1.2 dns-search xxx.yy dns-nameservers 10.1.2.22 10.1.2.24 # The administrative network auto eno1.2 iface eno1.2 inet static address 172.16.1.8 netmask 255.255.0.0 ip-rp-filter 2 vlan-raw-device eno1 But it does not get correctly set ~# cat /proc/sys/net/ipv4/conf/eno1.2/rp_filter 1 And this is the script overriding the configuration ~# cat /etc/network/if-up.d/ip #!/bin/sh # This should probably go into ifupdown # But usually only those with lots of interfaces (vlans) need these if [ -d "/proc/sys/net/ipv4/conf/$IFACE" ] then if [ -n "$IF_IP_PROXY_ARP" ]; then if [ "$IF_IP_PROXY_ARP" -eq "1" ]; then echo 1 > "/proc/sys/net/ipv4/conf/$IFACE/proxy_arp" else echo 0 > "/proc/sys/net/ipv4/conf/$IFACE/proxy_arp" fi fi if [ -n "$IF_IP_RP_FILTER" ]; then if [ "$IF_IP_RP_FILTER" -eq "0" ]; then echo 0 > "/proc/sys/net/ipv4/conf/$IFACE/rp_filter" else echo 1 > "/proc/sys/net/ipv4/conf/$IFACE/rp_filter" fi fi fi It checks if $IF_IP_RP_FILTER is 0 and sets it as 0, otherwise sets it as 1, so it never allows to set is to 2 (loose mode). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716964 Title: VLAN network script if-up.d/ip limits rp_filter value to 0 or 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vlan/+bug/1716964/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
