Re: /proc/sys/net/ip*/conf/all/* does not actually affect interfaces

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Philipp Matthias Hahn <pmhahn@titan.lahn.de>
To: linux kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: /proc/sys/net/ip*/conf/all/* does not actually affect interfaces
Date: Tue, 3 Mar 2009 08:00:25 +0100	[thread overview]
Message-ID: <20090303070025.GA5042@pmhahn.de> (raw)
In-Reply-To: <20090302122718.GA3906@piper.oerlikon.madduck.net>

Hello!

On Mon, Mar 02, 2009 at 01:27:18PM +0100, martin f krafft wrote:
> I was unpleasantly surprised last night that a rogue machine managed
> to alter the IPv6 default route of one of my servers, despite my
> sysctl configuration, which disables RA for "all" interfaces during
> the boot sequence. It also changes the "default" values:
...
> Yet, net.ipv6.conf.eth0.* values were unchanged, and routing
> advertisements honoured.
> 
> This also applies to files in ipv4/, e.g. accept_redirects
...

As far as I researched for IPv4 some time ago, the "default" value gets
copied to newly created interfaces only once.
"all" on the other hand allways gets applied in addition to the current
setting, but it depends on the exact setting, if its ORed, ANDed, or
whatevered:
	log_martians         OR
	accept_redirects     AND
	forwarding           ?
	mc_forwarding        AND
	medium_id
	proxy_arp            OR
	shared_media         OR
	secure_redirects     OR
	send_redirects       OR
	bootp_relay          AND
	accept_source_route  AND
	rp_filter            AND
	arp_filter           OR
	arp_announce         MAX
	arp_ignore           MAX
	arp_accept
	app_solicit
	disable_policy
	disable_xfrm
	tag
(see include/linux/inetdevice.h:83 for IN_DEV_{AND,OR,MAX}CONF)

Putting a new value in "all" doesn't change the value you read from
"$interface", but it only gets computed and used internally.

BYtE
Philipp
-- 
  / /  (_)__  __ ____  __ Philipp Hahn
 / /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_,_/ /_/\_\ pmhahn@titan.lahn.de

next prev parent reply	other threads:[~2009-03-03  7:00 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-03-02 12:27 /proc/sys/net/ip*/conf/all/* does not actually affect interfaces martin f krafft
2009-03-02 18:55 ` martin f krafft
2009-03-03  7:00 ` Philipp Matthias Hahn [this message]
2009-03-03 19:27   ` martin f krafft
2009-03-04 13:13     ` Philipp Matthias Hahn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090303070025.GA5042@pmhahn.de \
    --to=pmhahn@titan.lahn.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox