device: look at 'all' rp_filter value too to determine actual value

Currently we overwrite the interface rp_filter value with 2 ("loose") only when it is 1 ("strict") because when it is 0 ("no validation") it is already more permissive. So, if the value for the interface is 0 and net/ipv4/conf/all/rp_filter is 1 (like it happens by default on Fedora 28), we don't overwrite it; since kernel considers the maximum between {all,$dev}/rp_filter, the effective value remains 'strict'. We should instead combine the two {all,$dev}/rp_filter, and if it's 1 overwrite the value with 2. https://bugzilla.redhat.com/show_bug.cgi?id=1565529 (cherry picked from commit 150cf44d50)
2026-03-05 07:40:34 +01:00 · 2018-04-10 16:22:00 +02:00 · 2018-04-10 16:22:00 +02:00 · 0a1b1a4e5c
commit 0a1b1a4e5c
parent 58df222cbb
1 changed files with 25 additions and 8 deletions
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@ -879,19 +879,36 @@ nm_device_ipv4_sysctl_set (NMDevice *self, const char *property, const char *val
 }

 static guint32
-nm_device_ipv4_sysctl_get_uint32 (NMDevice *self, const char *property, guint32 fallback)
+nm_device_ipv4_sysctl_get_effective_uint32 (NMDevice *self, const char *property, guint32 fallback)
 {
 	char buf[NM_UTILS_SYSCTL_IP_CONF_PATH_BUFSIZE];
+	gint64 v, v_all;

 	if (!nm_device_get_ip_ifindex (self))
 		return fallback;

-	return nm_platform_sysctl_get_int_checked (nm_device_get_platform (self),
-	                                           NMP_SYSCTL_PATHID_ABSOLUTE (nm_utils_sysctl_ip_conf_path (AF_INET, buf, nm_device_get_ip_iface (self), property)),
-	                                           10,
-	                                           0,
-	                                           G_MAXUINT32,
-	                                           fallback);
+	v = nm_platform_sysctl_get_int_checked (nm_device_get_platform (self),
+	                                        NMP_SYSCTL_PATHID_ABSOLUTE (nm_utils_sysctl_ip_conf_path (AF_INET,
+	                                                                                                  buf,
+	                                                                                                  nm_device_get_ip_iface (self),
+	                                                                                                  property)),
+	                                        10,
+	                                        0,
+	                                        G_MAXUINT32,
+	                                        -1);
+
+	v_all = nm_platform_sysctl_get_int_checked (nm_device_get_platform (self),
+	                                            NMP_SYSCTL_PATHID_ABSOLUTE (nm_utils_sysctl_ip_conf_path (AF_INET,
+	                                                                                                      buf,
+	                                                                                                      "all",
+	                                                                                                      property)),
+	                                            10,
+	                                            0,
+	                                            G_MAXUINT32,
+	                                            -1);
+
+	v = NM_MAX (v, v_all);
+	return v > -1 ? (guint32) v : fallback;
 }

 gboolean
@ -2980,7 +2997,7 @@ ip4_rp_filter_update (NMDevice *self)

 	if (   priv->v4_has_shadowed_routes
 	    || nm_device_get_best_default_route (self, AF_INET)) {
-		if (nm_device_ipv4_sysctl_get_uint32 (self, "rp_filter", 0) != 1) {
+		if (nm_device_ipv4_sysctl_get_effective_uint32 (self, "rp_filter", 0) != 1) {
 			/* Don't touch the rp_filter if it's not strict. */
 			return;
 		}