Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / fe4db9be28aa67433cd5c2a6354f1f92ad94b7e2^! / .
commitfe4db9be28aa67433cd5c2a6354f1f92ad94b7e2[log] [tgz]
authorVernon Mauery <vernon.mauery@linux.intel.com>Fri Apr 12 13:56:52 2019 -0700
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Mon Apr 29 12:15:43 2019 -0400
tree78b6248ee7f1e2a50839ea43602d608e7f584301
parentd942b7a7f9216ae16288fdc77923b83ee5ade84d [diff]
Enable reverse-path filter for IPv4

/proc/sys/net/ipv4/conf/*/rp_filter enforces filtering of packets to
make sure that only packets that match the route can be sent on an
interface. This is recommended for reducing IP spoofing as will as
allowing for proper UDP behavior when multiple configured NICs have the
same subnet.

This is needed for the upcoming change of phosphor-ipmi-net, were its
socket file uses the bind-to-device option to be able to bind each
instance to a single network interface.  This allows each RMCP+ bridge
to accept only incoming packets on that interface. But in order to do
this with two NICs on the same subnet, reverse-path filtering must be
enabled in the kernel.

(From meta-phosphor rev: 62a4b6cde3046a2439bdcef79a6ac85fd6684194)

Change-Id: Ia4ba2523ded0d18d99f8be2fedd42666e96c34d2
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf b/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf
new file mode 100644
index 0000000..7194eb8
--- /dev/null
+++ b/meta-phosphor/recipes-core/base-files/base-files/50-rp_filter.conf

@@ -0,0 +1,5 @@
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+net.ipv4.conf.default.rp_filter = 2
+net.ipv4.conf.all.rp_filter = 2
+

diff --git a/meta-phosphor/recipes-core/base-files/base-files_%.bbappend b/meta-phosphor/recipes-core/base-files/base-files_%.bbappend
index 83e455f..c77cfef 100644
--- a/meta-phosphor/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-phosphor/recipes-core/base-files/base-files_%.bbappend

@@ -5,6 +5,7 @@
 RDEPENDS_${PN}_append_df-obmc-ubi-fs = " preinit-mounts"
 
 SRC_URI += " \
+    file://50-rp_filter.conf \
     ${@bb.utils.contains('DISTRO_FEATURES', 'ldap', 'file://nsswitch_ldap.conf', '', d)}"
 
 do_install_append() {
@@ -14,4 +15,7 @@
     if [ "${@bb.utils.filter('DISTRO_FEATURES', 'ldap', d)}" ]; then
         install -D -m 600 ${WORKDIR}/nsswitch_ldap.conf ${D}/${sysconfdir}/nsswitch.conf
     fi
+
+    install -d ${D}/${libdir}/sysctl.d
+    install -D -m 644 ${WORKDIR}/50-rp_filter.conf ${D}/${libdir}/sysctl.d/50-rp_filter.conf
 }