diff options
| author | Ryan Riske <ryanriske@gmail.com> | 2014-10-10 12:31:46 -0500 |
|---|---|---|
| committer | Ryan Riske <ryanriske@gmail.com> | 2014-10-10 13:00:39 -0500 |
| commit | 3b8cf68b97806cd1e86a198dd7ea7eff21175ca8 (patch) | |
| tree | 7c309657052c00a798a1599f90c317b69a07da0d | |
| parent | 4152e36311d1f31cf18482a267116a5c63d599b6 (diff) | |
| download | vyatta-cfg-quagga-3b8cf68b97806cd1e86a198dd7ea7eff21175ca8.tar.gz vyatta-cfg-quagga-3b8cf68b97806cd1e86a198dd7ea7eff21175ca8.zip | |
Bug 147: source-validation sysctl behavior changed in newer kernels
| -rw-r--r-- | interface-templates/ip/source-validation/node.def | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/interface-templates/ip/source-validation/node.def b/interface-templates/ip/source-validation/node.def index bc93b5a5..4e80e4f0 100644 --- a/interface-templates/ip/source-validation/node.def +++ b/interface-templates/ip/source-validation/node.def @@ -1,8 +1,7 @@ # rp_filter # default value - 0 -# conf/all/rp_filter and conf/[interface]/rp_filter both must be set to -# a value greater than 0 to do source validation on the interface - +# The max value from conf/{all,interface}/rp_filter is used +# when doing source validation on the {interface}. type: txt @@ -15,20 +14,27 @@ val_help: disable; No source validation syntax:expression: $VAR(@) in "strict", "loose", "disable"; "source-validation must be set to 'loose', 'strict' or 'disable'" update: + read all < /proc/sys/net/ipv4/conf/all/rp_filter if [ x$VAR(@) == xstrict ]; then - sudo sh -c "echo 1 > \ - /proc/sys/net/ipv4/conf/all/rp_filter" - sudo sh -c "echo 1 > \ - /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" + new=1 elif [ x$VAR(@) == xloose ]; then - sudo sh -c "echo 2 > \ - /proc/sys/net/ipv4/conf/all/rp_filter" - sudo sh -c "echo 2 > \ - /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" + new=2 else - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv4/conf/all/rp_filter" - fi + new=0 + fi + + if [ "$all" -gt "$new" ]; then + echo "Warning: global source-validation overrides per interface" + global="disable" + if [ "$all" -eq 1 ]; then + global=strict + elif [ "$all" -eq 2 ]; then + global=loose + fi + echo "Global value is $global" + fi + sudo sh -c "echo $new > \ + /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" delete: sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" |