| View previous topic :: View next topic |
| Author |
Message |
mathieuc
n00b
Joined: 25 Aug 2005
Posts: 5
Location: Paris, France
|
 Posted: Thu Aug 25, 2005 8:53 am Post subject: sysctl parameters priority |
 |
|
Hi,
My question is : which parameter does have the priority in the configuration between a "conf/DEV" and an "conf/all" parameter ?
For example, if i put this in /etc/sysctl.conf :
net.ipv4.conf.eth0.accept_source_route = 1
net.ipv4.conf.all.accept_source_route = 0
Will eth0 does accept source_routing ?
Or if i do this :
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.all.forwading = 0
Will eth0 does accept forwarding ?
Thanks for your help !
Mathieu C.
I have found this information about sysctl configuration, but it doesn't answer my question :
conf/DEV/, conf/all/ and conf/default/ differences :
The /conf/DEV/ directory, where DEV stands for some device or another, will only change the behaviour of the specific device in question. Now, conf/all/ on the other hand will change the behaviour of all the other interfaces if changed.
The final directory named conf/default/ will change the default values. This doesn't change the values in the already set up devices, but it will change the default values used for all the interfaces that may be brought up in the future. One usage would be if we set up a new interface eth0, change the conf/eth0 variables for it, and finally set the defaults used. If we would then load five modems on ppp+, these variables would change since the default variables have change |
|
| Back to top |
|
 |
_dA_CyANIDe
Apprentice
Joined: 30 Mar 2005
Posts: 196
Location: Czech Republic
|
| Posted: Thu Aug 25, 2005 10:38 am Post subject: |
|
|
Hi mathieuc,
try to look @ gentoo security guide. There is something about configuring sysctl.conf. I think, that it is chapter no.9.
_________________
AMD64 X2 3800+, 1GB RAM, Gigabyte GF7600
-----
Firewalls cannot block stupidity! |
|
| Back to top |
|
|
dementer
Tux's lil' helper
Joined: 25 Jan 2004
Posts: 139
Location: New Zealand
|
| Posted: Thu Aug 25, 2005 10:49 am Post subject: |
|
|
good question
from your quote i read
| Quote: | For example, if i put this in /etc/sysctl.conf :
net.ipv4.conf.eth0.accept_source_route = 1
net.ipv4.conf.all.accept_source_route = 0
Will eth0 does accept source_routing ?
|
to mean eth0 vars are set and not subject to change. Unless you change them yourself of course. The all vars will affect ALL other interface unless they are explicitly set like eth0. So the answer is yes. the order of the statements doesnt matter either.
Its not so much a mater of priority as graininess. if you want a sweeping change on all interfaces that are not set, use conf/all. If you want to adjust a particular interface then conf/DEV |
|
| Back to top |
|
|
mathieuc
n00b
Joined: 25 Aug 2005
Posts: 5
Location: Paris, France
|
| Posted: Thu Aug 25, 2005 11:36 am Post subject: |
|
|
Hi everybody,
Thank you a lot for your help. There was an error in my first message, you should read :
"if i do this :
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.all.forwading = 1 (not 0)
Will eth0 does accept forwarding ? "
So if i understand your explanation dementer : in this case, because eth0 parameter is set, and because it is more precise than the all parameter, its value will be considered as the most important by the kernel, so eth0 won't accept forwarding.
So the fact of setting explicitely a parameter is enough to be sure that it won't be canceled by a more general parameter.
But there is something not really clear again about this for me :
if you do this :
sysctl -a |grep forwarding and you get something like this :
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.all.forwading = 0
Then after, you do this :
sysctl -w net.ipv4.conf.all.forwading=1
Then you do this again :
sysctl -a |grep forwarding
You'll get this :
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.all.forwarding = 1
So do you think that the order of thoses lines in the sysctl.conf file will not change the value of the net.ipv4.conf.eth0.forwarding parameter ? :
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.all.forwading = 1 (not 0)
Thanks again !
Mathieu |
|
| Back to top |
|
|
mathieuc
n00b
Joined: 25 Aug 2005
Posts: 5
Location: Paris, France
|
| Posted: Thu Aug 25, 2005 11:57 am Post subject: |
|
|
I did made the test, and in fact what i did suspect is true : the most important thing is the order of the parameters in the sysctl.conf file.
So if you put this in your sysctl.conf file :
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.eth0.forwarding = 0
eth0 forwarding will be set to 0.
But if you put this :
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.all.forwarding = 1
eth0 forwarding will be set to 1.
But there is another question : when you do this (without a consideration of kernel init and sysctl.conf file) :
sysctl -a |grep forwarding
And you get this, for example :
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.all.forwarding = 1
Which parameter does the kernel consider in priority ?
In your explanation dementer, i should consider that in fact the "all" parameter is just a "tool" for configuring faster, and is never considered by the kernel, and so the kernel always watch directly the "DEV" parameter. Is it correct ?
Thanks for your help again !
Mathieu |
|
| Back to top |
|
|
mathieuc
n00b
Joined: 25 Aug 2005
Posts: 5
Location: Paris, France
|
| Posted: Thu Aug 25, 2005 2:34 pm Post subject: |
|
|
It seems that in fact there is no standard rule about the kernel reaction depending the value of the "all" or "DEV" parameter :
one time, you need the 2 value to be the same to get what you need, one time 1 value is enough, with no importance about which one...
Extract of ip-sysctl.txt file :
conf/interface/* changes special settings per interface (where "interface" is
the name of your network interface)
conf/all/* is special, changes the settings for all interfaces
accept_redirects - BOOLEAN
Accept ICMP redirect messages.
accept_redirects for the interface will be enabled if:
- both conf/{all,interface}/accept_redirects are TRUE in the case forwarding
for the interface is enabled
or
- at least one of conf/{all,interface}/accept_redirects is TRUE in the case
forwarding for the interface is disabled
accept_redirects for the interface will be disabled otherwise
default TRUE (host)
FALSE (router)
forwarding - BOOLEAN
Enable IP forwarding on this interface.
accept_source_route - BOOLEAN
Accept packets with SRR option.
conf/all/accept_source_route must also be set to TRUE to accept packets
with SRR option on the interface
default TRUE (router)
FALSE (host)
log_martians - BOOLEAN
Log packets with impossible addresses to kernel log.
log_martians for the interface will be enabled if at least one of
conf/{all,interface}/log_martians is set to TRUE,
it will be disabled otherwise |
|
| Back to top |
|
|
dementer
Tux's lil' helper
Joined: 25 Jan 2004
Posts: 139
Location: New Zealand
|
| Posted: Thu Aug 25, 2005 9:40 pm Post subject: |
|
|
Im impressed with the research you've done
To be honest, from those tests Im not sure which is read first. Prob the easiest way to check is read the kernel source or ask one of the developers of that source. This is interesting... |
|
| Back to top |
|
|
_dA_CyANIDe
Apprentice
Joined: 30 Mar 2005
Posts: 196
Location: Czech Republic
|
|
| Back to top |
|
|
mathieuc
n00b
Joined: 25 Aug 2005
Posts: 5
Location: Paris, France
|
| Posted: Fri Aug 26, 2005 9:31 am Post subject: |
|
|
Thanks again for your help dementer and da cyanide !
I have already read this interesting tutorial. I think unfortunately like you dementer : i have to directly check the kernel source to get the good answer.
But i don't have the time to do this now. I will consider that what does say the ip-sysctl.txt file is true.
Many thanks again guys ! |
|
| Back to top |
|
|
|
Networking & Security
