diff options
| author | Vernon Mauery <vernon.mauery@linux.intel.com> | 2019-04-12 23:56:52 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-04-29 19:15:43 +0300 |
| commit | fe4db9be28aa67433cd5c2a6354f1f92ad94b7e2 (patch) | |
| tree | 78b6248ee7f1e2a50839ea43602d608e7f584301 /meta-phosphor/recipes-core | |
| parent | d942b7a7f9216ae16288fdc77923b83ee5ade84d (diff) | |
| download | openbmc-fe4db9be28aa67433cd5c2a6354f1f92ad94b7e2.tar.xz | |
Enable reverse-path filter for IPv4
/proc/sys/net/ipv4/conf/*/rp_filter enforces filtering of packets to
make sure that only packets that match the route can be sent on an
interface. This is recommended for reducing IP spoofing as will as
allowing for proper UDP behavior when multiple configured NICs have the
same subnet.
This is needed for the upcoming change of phosphor-ipmi-net, were its
socket file uses the bind-to-device option to be able to bind each
instance to a single network interface. This allows each RMCP+ bridge
to accept only incoming packets on that interface. But in order to do
this with two NICs on the same subnet, reverse-path filtering must be
enabled in the kernel.
(From meta-phosphor rev: 62a4b6cde3046a2439bdcef79a6ac85fd6684194)
Change-Id: Ia4ba2523ded0d18d99f8be2fedd42666e96c34d2
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-phosphor/recipes-core')
| -rw-r--r-- | meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf | 5 | ||||
| -rw-r--r-- | meta-phosphor/recipes-core/base-files/base-files_%.bbappend | 4 |
2 files changed, 9 insertions, 0 deletions
diff --git a/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf b/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf new file mode 100644 index 000000000..7194eb85d --- /dev/null +++ b/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf @@ -0,0 +1,5 @@ +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.all.rp_filter = 2 + diff --git a/meta-phosphor/recipes-core/base-files/base-files_%.bbappend b/meta-phosphor/recipes-core/base-files/base-files_%.bbappend index 83e455f3d..c77cfefc7 100644 --- a/meta-phosphor/recipes-core/base-files/base-files_%.bbappend +++ b/meta-phosphor/recipes-core/base-files/base-files_%.bbappend @@ -5,6 +5,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" RDEPENDS_${PN}_append_df-obmc-ubi-fs = " preinit-mounts" SRC_URI += " \ + file://50-rp_filter.conf \ ${@bb.utils.contains('DISTRO_FEATURES', 'ldap', 'file://nsswitch_ldap.conf', '', d)}" do_install_append() { @@ -14,4 +15,7 @@ do_install_append() { if [ "${@bb.utils.filter('DISTRO_FEATURES', 'ldap', d)}" ]; then install -D -m 600 ${WORKDIR}/nsswitch_ldap.conf ${D}/${sysconfdir}/nsswitch.conf fi + + install -d ${D}/${libdir}/sysctl.d + install -D -m 644 ${WORKDIR}/50-rp_filter.conf ${D}/${libdir}/sysctl.d/50-rp_filter.conf } |