Simplify syntax of some network-related sysctl's#261
Simplify syntax of some network-related sysctl's#261adrelanos merged 2 commits intoKicksecure:masterfrom raja-grewal:syntax
sysctl's#261Conversation
|
Could you test please (as root [1])... 1 Record old. 2 Use the new settings. 3 Apply the new settings. 4 Record new. 5 Compare (with favorite diff viewer). Does it result in effectively the same sysctl settings as understood by the kernel or will there be a difference? Also would be good to document this test somehow so we can refer to it for sysctl refactoring in the future. [1] Obvious to you but not all readers. |
|
Great suggestion! All I think there is a bug in Using your suggested method, it seems that previously using while all other interfaces would be correctly changed, it would still result in This The only way to patch this is using the updated submission which correctly results in Due to this PR, we might have unexpectedly stumbled upon a kernel bug that requires fixing and patching upstream. For reference, my diff with relevant
I could not agree more that documenting this test for the future is a great idea.
Note minor error above where -b" should be "-a". |
This pull request simplifies the syntax of some network-related
sysctl's.I do not think there is a need to distinguish between application to 'all' and 'default'. Ideally these setting should be applied across the board regardless of interface.
One could also make the case this might be a form of weak 'hardening' as we have simplified each setting to one line (defence-in-depth etc.).
Note this approach is also currently used by GrapheneOS's infrastructure.
For example:
to
Changes
There are (likely) no changes to the functionality of the code.
EDIT: This PR attempts to fix a bug in the existing
rp_filterimplementation, see below.Mandatory Checklist
Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint
Optional Checklist
The following items are optional but might be requested in certain cases.