| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Oct 2015 06:00:07 -0700 (PDT) From: David Miller <davem@...emloft.net> To: hannes@...essinduktion.org Cc: nicolas.dichtel@...nd.com, dsa@...ulusnetworks.com, netdev@...r.kernel.org, hannes@...hat.com Subject: Re: [PATCH net-next v5] net: ipv6: Make address flushing on ifdown optional From: Hannes Frederic Sowa <hannes@...essinduktion.org> Date: Wed, 14 Oct 2015 14:14:05 +0200 > I can bring up the rp_filter setting, too. It currently gets > unconditional set to strict mode in systemd on all interfaces. Sigh... > The question is, if we should care about people enabling forwarding by > simply toggling the sysctl forwarding knob? Essentially in the kernel we > could provide two sysctl knobs, one for forwarding and one for local > reception. So people following the guidelines how to enable forwarding > could automatically have rp_filter enabled while host mode does not > because we leave the forwarding rp_filter setting enabled. This at the > same time seems unnecessary complex and maybe we should simply talk to > distributions. ;) > > What do you think? We could make rp_filter only apply when something more than default and subnet routes are configured. Another bypass might be when only one interface other than loopback is up and enabled for ipv4. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists