Simplify syntax of some network-related sysctl's

[raja-grewal]

This pull request simplifies the syntax of some network-related sysctl's.

I do not think there is a need to distinguish between application to 'all' and 'default'. Ideally these setting should be applied across the board regardless of interface.

One could also make the case this might be a form of weak 'hardening' as we have simplified each setting to one line (defence-in-depth etc.).

Note this approach is also currently used by GrapheneOS's infrastructure.

For example:

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

to

net.ipv4.conf.*.accept_redirects=0

Changes

There are (likely) no changes to the functionality of the code.

EDIT: This PR attempts to fix a bug in the existing rp_filter implementation, see below.

Mandatory Checklist

• Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

• I have tested it locally
• I have reviewed and updated any documentation if relevant
• I am providing new code and test(s) for it

[adrelanos]

Could you test please (as root [1])...

1 Record old.

sysctl -a > old

2 Use the new settings.

3 Apply the new settings.

sysctl --system

4 Record new.

sysctl -b > new

5 Compare (with favorite diff viewer).

diff old new

Does it result in effectively the same sysctl settings as understood by the kernel or will there be a difference?

Also would be good to document this test somehow so we can refer to it for sysctl refactoring in the future.

---

[1] Obvious to you but not all readers.

[raja-grewal]

Great suggestion!

All sysctl commands work as expected except one.

I think there is a bug in rp_filter. Our existing implementation has a bug and this PR had a bug (that has now been corrected).

Using your suggested method, it seems that previously using

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

while all other interfaces would be correctly changed, it would still result in

net.ipv4.conf.lo.rp_filter = 2

This sysctl error seems to have persisted from when both rp_filter commands were introduced over 4 years ago.

The only way to patch this is using the updated submission

net.ipv4.conf.*.rp_filter=1
net.ipv4.conf.default.rp_filter=1

which correctly results in

net.ipv4.conf.lo.rp_filter = 1

Due to this PR, we might have unexpectedly stumbled upon a kernel bug that requires fixing and patching upstream.

For reference, my diff with relevant sysctls is

[a@X] diff old.txt new.txt 
BcB
< kernel.random.uuid = d334753e-702a-4ddf-9504-11aaceb7dfb5
---
> kernel.random.uuid = 94f395aa-d3a5-46a9-8009-fcdc2d817a44
DcD
< net.ipv4.conf.lo.rp_filter = 2
---
> net.ipv4.conf.lo.rp_filter = 1

Also would be good to document this test somehow so we can refer to it for sysctl refactoring in the future.

I could not agree more that documenting this test for the future is a great idea.

sysctl -b > new

Note minor error above where -b" should be "-a".