VLAN network script if-up.d/ip limits rp_filter value to 0 or 1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vlan (Debian) |
New
|
Unknown
|
|||
vlan (Ubuntu) |
Fix Released
|
Medium
|
Dan Streetman | ||
Trusty |
Fix Released
|
Medium
|
Dan Streetman | ||
Xenial |
Fix Released
|
Medium
|
Dan Streetman | ||
Zesty |
Fix Released
|
Medium
|
Dan Streetman | ||
Artful |
Fix Released
|
Medium
|
Dan Streetman |
Bug Description
[impact]
Using ifupdown, vlan supported setting an interface's rp-filter value, but that can only set 0 or 1, but it cannot be set to 2.
[test case]
On any system using ifupdown to manage interfaces, add to an interface's config:
if-rp-filter 2
When the interface is brought up, its /proc/sys/
See also c#9 for a test example
[regression potential]
problems with this change could affect the value of an interface's rp_filter value.
[other]
the upstream debian bug for this has been open for 3 years without change, so it is unlikely debian will fix this.
As outlined in c#4 and c#13 this setting is vlan not generally required for vlans (but often used with them). So it in question if eventually it should be added elsewhere and removed here, but for the SRU the bug is where it is (in the vlan package) and there it has to be fixed.
---
[original description]
When configuring a VLAN interface on /etc/network/
This is the relevant configuration in /etc/network/
# The primary network interface
auto eno1
iface eno1 inet static
address 10.1.2.36
netmask 255.255.0.0
gateway 10.1.1.2
dns-search xxx.yy
dns-nameservers 10.1.2.22 10.1.2.24
# The administrative network
auto eno1.2
iface eno1.2 inet static
address 172.16.1.8
netmask 255.255.0.0
ip-rp-filter 2
vlan-raw-device eno1
But it does not get correctly set
~# cat /proc/sys/
1
And this is the script overriding the configuration
~# cat /etc/network/
#!/bin/sh
# This should probably go into ifupdown
# But usually only those with lots of interfaces (vlans) need these
if [ -d "/proc/
then
if [ -n "$IF_IP_PROXY_ARP" ]; then
if [ "$IF_IP_PROXY_ARP" -eq "1" ]; then
echo 1 > "/proc/
else
echo 0 > "/proc/
fi
fi
if [ -n "$IF_IP_RP_FILTER" ]; then
if [ "$IF_IP_RP_FILTER" -eq "0" ]; then
echo 0 > "/proc/
else
echo 1 > "/proc/
fi
fi
fi
It checks if $IF_IP_RP_FILTER is 0 and sets it as 0, otherwise sets it as 1, so it never allows to set is to 2 (loose mode).
Changed in vlan (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in vlan (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in vlan (Ubuntu Zesty): | |
status: | New → In Progress |
Changed in vlan (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in vlan (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in vlan (Ubuntu Zesty): | |
importance: | Undecided → Medium |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in vlan (Ubuntu Xenial): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in vlan (Ubuntu Trusty): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in vlan (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in vlan (Ubuntu): | |
importance: | Undecided → Medium |
description: | updated |
Changed in vlan (Debian): | |
status: | Unknown → New |
description: | updated |
description: | updated |
The following modification on /etc/network/ if-up.d/ ip makes it work.
*** 13,18 **** sys/net/ ipv4/conf/ $IFACE/ rp_filter" sys/net/ ipv4/conf/ $IFACE/ rp_filter" sys/net/ ipv4/conf/ $IFACE/ rp_filter"
--- 13,20 ----
if [ -n "$IF_IP_RP_FILTER" ]; then
if [ "$IF_IP_RP_FILTER" -eq "0" ]; then
echo 0 > "/proc/
+ elif [ "$IF_IP_RP_FILTER" -eq "2" ]; then
+ echo 2 > "/proc/
else
echo 1 > "/proc/
fi