Disable forced Reverse Path filtering #7

New Issue

Closed

opened 2020-12-10 18:13:35 +01:00 by jdubois · 1 comment

jdubois commented

2020-12-10 18:13:35 +01:00

Member

Minifirewall enable the Reverse Path filtering each time the init script is executed :

# Enable Reverse Path filtering : verify if responses use same network interface
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done

But VRRP needs it to be disabled. To simply re-disable it within minifirewall.conf instead of commenting out this part of the init script does not work : the fact that it is enabled, even for one second, is enough to break VRRP.

The problem is that this script is not made to be customized : an update of the init script could remove the comments. Then, a restart of minifirewall would break VRRP.

I think in Debian, the default value is already at 1. This configuration was already there at the first commit in 2009, so I do not know the need, but do we really need to enable Reverse Path filtering ?

Minifirewall enable the Reverse Path filtering each time the init script is executed : ``` # Enable Reverse Path filtering : verify if responses use same network interface for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i done ``` But [VRRP](https://wiki.evolix.org/HowtoVRRP#utilisation-avec-minifirewall) needs it to be disabled. To simply re-disable it within minifirewall.conf instead of commenting out this part of the init script does not work : the fact that it is enabled, even for one second, is enough to break VRRP. The problem is that this script is not made to be customized : an update of the init script could remove the comments. Then, a restart of minifirewall would break VRRP. I think in Debian, the default value is already at 1. This configuration was already there at the first commit in 2009, so I do not know the need, but do we really need to enable Reverse Path filtering ?