New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 621098 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
kevinhayes@chromium.org
wad@chromium.org
caiz@chromium.org
kyan@chromium.org
grundler@chromium.org
ameyd@google.com
sjg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

sysctl.conf: set rp_filter=0

Project Member Reported by vapier@chromium.org, Jun 17 2016 
came across this tidbit:
https://lwn.net/Articles/578621/

basically the Linux network maintainer points out that rp_filter makes no sense on leaf devices and just adds overhead.  since CrOS is never in a routing position (or at least one where this setting would matter, e.g. routing between VMs/containers), we should turn this off.

need to double check with jetstream & lakitu to see if they want to turn it back on for their boards.

Comment 1 by pstew@chromium.org, Jun 17 2016

Cc: wad@chromium.org
Historical context: Though we are a leaf device, we do end up connected to multiple networks at the same time.  rp_filter was requested by our security team to prevent spoofed packets arriving on one network interface to be accepted as if coming from another interface.

Comment 2 by vapier@chromium.org, Jun 17 2016 

i assumed we just copied it from Gentoo which has been setting it this way for a while (longer than CrOS has existed).  the history of the file shows that much as well.  if there's any bugs/docs to link to, that'd be great.

Comment 3 by grundler@chromium.org, Jun 17 2016

Cc: kyan@chromium.org caiz@chromium.org kevinhayes@chromium.org
mike - thanks for the heads up!

I'm inclined to believe jetstream will want rp_filter on for both whirlwind and arkham builds. Gale is still using it's own config (but I'll get to that soon).

But I'm not the TL here and don't understand the guts of networking stack well enough. Adding some folks who do.

Comment 4 by pstew@chromium.org, Jun 17 2016 

Note that rp_filter is actively manipulated by shill during the connection and portal detection process to enable / disable simultaneous probing using multiple default routes.

Comment 5 by sjg@chromium.org, May 24 2017

Cc: sjg@chromium.org
So should this bug be closed WontFix?

Comment 6 by kevinhayes@google.com, May 24 2017 

Grant is correct that Jetstream devices does still want to use rp_filter.  I would either support closing as WontFix or separating it into a config which does not apply to Jetstream devices.

Comment 7 by sjg@chromium.org, Jun 1 2017

Status: WontFix (was: Available)
OK, let's close it.

Sign in to add a comment