Firewalld IPv6_rpfilter default to loose on Workstations
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Default firewalld to using IPv6_rpfilter=loose
for new Workstation installs.
Owner
- Name: Eric Garver
- Email: egarver@redhat.com
Detailed Description
Fedora Workstation variants use connectivity checks by default. These checks can fail for multi-homed hosts where firewalld uses IPv6_rpfilter=strict
. As such, for these variants we should instead default to IPv6_rpfilter=loose
to allow connectivity checks to function as intended.
Bug: 2324434 â IPv6_rpfilter=strict causes non-functional wired connectivity with NetworkManager
For IPv4 the rpfilter setting is already set to loose by default on all editions starting with Fedora 30. See: sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2 ¡ systemd/systemd@230450d ¡ GitHub
Feedback
Benefit to Fedora
The benefit is that connectivity checks will work properly on multi-homed, e.g. wifi + LAN, workstations. This helps avoid certain scenarios that can degrade user experience when switching between modes of connectivity.
Scope
-
Proposal owners: The change is a small patch in the RPM spec file. The only affected file will be
/etc/firewalld/firewalld.conf
. -
Other developers: N/A
-
Release engineering: N/A #Releng issue number
-
Policies and guidelines: N/A (not needed for this Change)
-
Trademark approval: N/A (not needed for this Change)
-
Alignment with the Fedora Strategy:
Upgrade/compatibility impact
For systems upgrading to f42, the new value of IPv6_rpfilter
depends on whether the user has customized /etc/firewalld/firewalld.conf
. If no, then the RPM upgrade process will update the configuration to IPv6_rpfilter=loose
. If yes, then the user configuration will be retained.
Itâs important to note that this change is a deviation from firewalld upstream. Firewalld upstream will still default to IPv6_rpfilter=strict
.
Early Testing (Optional)
Do you require âQA Blueprintâ support? N
How To Test
No special hardware is required. A default Workstation should be sufficient.
Testing requires multiple network interfaces with internet access. Connectivity checks must be enabled (default). Tester must verify that the connectivity checks pass for both links.
User Experience
Connectivity checks work properly for multiple interfaces.
There is one specific scenario in which a non-functioning connectivity check can lead to a degraded user experience: A user with a laptop that is connected to their home WiFi connects said laptop to their home network using Ethernet, for example to transfer a larger file to a network drive. The userâs home network provides internet access using both IPv4 and IPv6 addressing. The user expects the Ethernet connection to take precedence over the already established WiFi connection. However, due to the IPv6_rpfilter=strict
setting the IPv6 connectivity check fails and the Ethernet connection is deemed not connected to the internet. NetworkManager thus adds a penalty to the Ethernet interfaceâs routing metric resulting in traffic to the local network and the internet preferring the WiFi interface over the Ethernet interface. If the WiFi connection is slower than the Ethernet connection this will lead to a degraded performance when transferring that large file.
Dependencies
No dependencies.
Contingency Plan
- Contingency mechanism: Keep existing default of
IPv6_rpfilter=strict
. - Contingency deadline: beta freeze
- Blocks release? No
Documentation
https://bugzilla.redhat.com/show_bug.cgi?id=2324434
Release Notes
Connectivity checks now work properly for multi-homed Workstations.
Last edited by @amoloney 2024-12-03T17:38:15Z
Last edited by @amoloney 2024-12-03T17:38:15Z