rp_filter changes in PVE 9

E

Erik Horn

Member
Jul 25, 2024
34
8
8
I've recently started testing the upgrade of our v8.4 cluster to v9.1 (patched using the nosub repository today). While troubleshooting issues with our EVPN configuration, I found that the previous method for disabling reverse path filtering (rp_filter) was no longer working.

Our method of disabling reverse path filtering in v8 was to create the file /etc/sysctl.d/z-local.conf with the contents
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

After a rebooting, we found that those parameters were set as expected, but most/all of the interface specific rp_filter settings were 2.

I then temporarily set rp_filter to 0 for all network interfaces via sysctl, then created a new vnet and applied the change. The interface for the new vnet had rp_filter set to 2, even with default, all, and all of the other interfaces still set to 0.

This result gave me the idea that the problem wasn't with the all or default settings, but that something was actively setting rp_filter. I started digging around and found the following entry in /usr/lib/sysctl.d/50-default.conf:
net.ipv4.conf.*.rp_filter = 2

I added net.ipv4.conf.*.rp_filter = 0 to /etc/sysctl.d/z-local.conf then rebooted. All of the interfaces had reverse path filter disabled. I added another vnet, and it also had reverse path filter disabled as well.

I wanted to make others aware of this issues since having rp_filter unexpectedly enabled can create issues. Also, I'm not sure if this fix is the best way to handle it, it's just what I found first.

Thanks,

Erik
 
mmm, this seem to be a change in debian13:

https://www.debian.org/releases/tri...ues.html#etc-sysctl-conf-is-no-longer-honored

Code: 
In Debian 13, systemd-sysctl no longer reads <span>/etc/sysctl.conf</span>. The package linux-sysctl-defaults ships <span>/usr/lib/sysctl.d/50-default.conf</span> which is intended to replace the former <span>/etc/sysctl.conf</span>. This package is recommended by systemd, and will thus be installed by default on systems where installation of recommended packages has not been turned off.

Check whether linux-sysctl-defaults is installed on your system and whether the contents of <span>/usr/lib/sysctl.d/50-default.conf</span> conform to your expectations. Consider putting local configuration into file snippets named <span>/etc/sysctl.d/*.conf</span>.
 
I was able to look into it some more this morning. The new debian 13 default for net.ipv4.conf.*.rp_filter is the issue for us.

I didn't realize that sysctl was run for a network interface whenever it appears in the system, such a during system startup or when adding a vnet. But with the new default containing the wildcard for the network interface name, it effectively overrides the net.ipv4.conf.default.rp_filter setting.

I feel lucky that I found the issue during testing and not after it reached production. That was only because we currently have significant traffic flows that are dropped due to rp_filter, due to a non-pve issue.
 
You must log in or register to reply here.
Top Bottom
Back