From fe4db9be28aa67433cd5c2a6354f1f92ad94b7e2 Mon Sep 17 00:00:00 2001 From: Vernon Mauery Date: Fri, 12 Apr 2019 13:56:52 -0700 Subject: Enable reverse-path filter for IPv4 /proc/sys/net/ipv4/conf/*/rp_filter enforces filtering of packets to make sure that only packets that match the route can be sent on an interface. This is recommended for reducing IP spoofing as will as allowing for proper UDP behavior when multiple configured NICs have the same subnet. This is needed for the upcoming change of phosphor-ipmi-net, were its socket file uses the bind-to-device option to be able to bind each instance to a single network interface. This allows each RMCP+ bridge to accept only incoming packets on that interface. But in order to do this with two NICs on the same subnet, reverse-path filtering must be enabled in the kernel. (From meta-phosphor rev: 62a4b6cde3046a2439bdcef79a6ac85fd6684194) Change-Id: Ia4ba2523ded0d18d99f8be2fedd42666e96c34d2 Signed-off-by: Vernon Mauery Signed-off-by: Brad Bishop --- meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf | 5 +++++ meta-phosphor/recipes-core/base-files/base-files_%.bbappend | 4 ++++ 2 files changed, 9 insertions(+) create mode 100644 meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf (limited to 'meta-phosphor/recipes-core') diff --git a/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf b/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf new file mode 100644 index 000000000..7194eb85d --- /dev/null +++ b/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf @@ -0,0 +1,5 @@ +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.all.rp_filter = 2 + diff --git a/meta-phosphor/recipes-core/base-files/base-files_%.bbappend b/meta-phosphor/recipes-core/base-files/base-files_%.bbappend index 83e455f3d..c77cfefc7 100644 --- a/meta-phosphor/recipes-core/base-files/base-files_%.bbappend +++ b/meta-phosphor/recipes-core/base-files/base-files_%.bbappend @@ -5,6 +5,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" RDEPENDS_${PN}_append_df-obmc-ubi-fs = " preinit-mounts" SRC_URI += " \ + file://50-rp_filter.conf \ ${@bb.utils.contains('DISTRO_FEATURES', 'ldap', 'file://nsswitch_ldap.conf', '', d)}" do_install_append() { @@ -14,4 +15,7 @@ do_install_append() { if [ "${@bb.utils.filter('DISTRO_FEATURES', 'ldap', d)}" ]; then install -D -m 600 ${WORKDIR}/nsswitch_ldap.conf ${D}/${sysconfdir}/nsswitch.conf fi + + install -d ${D}/${libdir}/sysctl.d + install -D -m 644 ${WORKDIR}/50-rp_filter.conf ${D}/${libdir}/sysctl.d/50-rp_filter.conf } -- cgit v1.2.3